Crypto, security, comp-sci specialists speak out on NSA

In an open letter, more than 50 luminaries in computer science, cryptography, and security join together to decry reported efforts by the agency to undermine encryption and network security.

Edward Moyer Senior Editor
Edward Moyer is a senior editor at CNET and a many-year veteran of the writing and editing world. He enjoys taking sentences apart and putting them back together. He also likes making them from scratch. ¶ For nearly a quarter of a century, he's edited and written stories about various aspects of the technology world, from the US National Security Agency's controversial spying techniques to historic NASA space missions to 3D-printed works of fine art. Before that, he wrote about movies, musicians, artists and subcultures.
Expertise Wordsmithery. Credentials
  • Ed was a member of the CNET crew that won a National Magazine Award from the American Society of Magazine Editors for general excellence online. He's also edited pieces that've nabbed prizes from the Society of Professional Journalists and others.
Edward Moyer
4 min read
The NSA's Data Center in Bluffdale, Utah, with a housing subdivision in the foreground. George Frey/Getty Images

More than 50 big names in the fields of computer science, security, and cryptography have published an open letter calling for an end to the NSA's controversial spying practices, including reported efforts to undermine encryption and network-security standards.

"Every country, including our own, must give intelligence and law-enforcement authorities the means to pursue terrorists and criminals, but we can do so without fundamentally undermining the security that enables commerce, entertainment, personal communication, and other aspects of 21st-century life," reads the letter, which is signed by, among many others, Edward Felten and Steve Bellovin, both former chief technologists for the Federal Trade Commission.

Other signatories include Shai Halevi, director of the International Association for Cryptologic Research, and researchers from MIT, Georgia Tech, Carnegie-Mellon, Princeton, Yale, Harvard, and a raft of other respected universities.

The NSA has sidestepped common Net encryption methods in a number of ways, including hacking into the servers of private companies to steal encryption keys, collaborating with tech companies to build in back doors, and covertly introducing weaknesses into encryption standards, The New York Times, The Guardian, and ProPublica reported in September, citing agency documents leaked by Edward Snowden.

The recently released report by President Obama's handpicked NSA Review Group said the group was "unaware of any vulnerability created by the US government in generally available commercial software that puts users at risk of criminal hackers or foreign governments decrypting their data."

But it also included recommendations that the government should not engage in such activity, should "fully support" encryption standards, and should "increase the use of encryption and urge US companies to do so." The group's suggestions also touched on hacking and other information security issues, saying, in essence, that the NSA needed to tread very lightly in these areas. (For details, see Chapter VII -- pages 209 through 231 -- of the group's report [PDF].)

In his NSA reform speech last week, Obama didn't address those recommendations in detail, saying instead that he'd ordered "a comprehensive review of big data and privacy" involving government officials and the President's Council of Advisors on Science and Technology. The review, he said, would "reach out to privacy experts, technologists, and business leaders" to determine "how we can continue to promote the free flow of information in ways that are consistent with both privacy and security."

Here's the full text from today's open letter. The complete list of signatories is here.

An Open Letter from US Researchers in Cryptography and Information Security

Media reports since last June have revealed that the US government conducts domestic and international surveillance on a massive scale, that it engages in deliberate and covert weakening of Internet security standards, and that it pressures US technology companies to deploy backdoors and other data-collection features. As leading members of the US cryptography and information-security research communities, we deplore these practices and urge that they be changed.

Indiscriminate collection, storage, and processing of unprecedented amounts of personal information chill free speech and invite many types of abuse, ranging from mission creep to identity theft. These are not hypothetical problems; they have occurred many times in the past. Inserting backdoors, sabotaging standards, and tapping commercial data-center links provide bad actors, foreign and domestic, opportunities to exploit the resulting vulnerabilities.

The value of society-wide surveillance in preventing terrorism is unclear, but the threat that such surveillance poses to privacy, democracy, and the US technology sector is readily apparent. Because transparency and public consent are at the core of our democracy, we call upon the US government to subject all mass-surveillance activities to public scrutiny and to resist the deployment of mass-surveillance programs in advance of sound technical and social controls. In finding a way forward, the five principles promulgated at http://reformgovernmentsurveillance.com/ provide a good starting point.

The choice is not whether to allow the NSA to spy. The choice is between a communications infrastructure that is vulnerable to attack at its core and one that, by default, is intrinsically secure for its users. Every country, including our own, must give intelligence and law-enforcement authorities the means to pursue terrorists and criminals, but we can do so without fundamentally undermining the security that enables commerce, entertainment, personal communication, and other aspects of 21st-century life. We urge the US government to reject society-wide surveillance and the subversion of security technology, to adopt state-of-the-art, privacy-preserving technology, and to ensure that new policies, guided by enunciated principles, support human rights, trustworthy commerce, and technical innovation.