The US National Security Agency has secretly developed the ability to crack or circumvent commonplace Internet encryption used to protect everything from email to financial transactions, according to media reports citing documents obtained by former NSA contractor Edward Snowden.
The Guardian, The New York Times and journalistic nonprofit ProPublica reported on Thursday that the US intelligence agency used a variety of means, ranging from the insertion of "back doors" in popular tech products and services, to supercomputers, secret court orders and the manipulation of international processes for setting encryption standards.
The publications said the NSA and its British partner Government Communications Headquarters reported making strides against Secure Sockets Layer technology, which protects millions of websites beginning in "Https," and virtual private networks, which are common for remote office workers and for people seeking to obscure their locations.
Privacy advocates have succeeded in convincing Google Inc, Facebook Inc and other popular service providers to turn on SSL for all of their users, but the new disclosures suggest that the effort could be futile against the NSA.
The Times and ProPublica cited an intelligence document saying the NSA spends more than $250 million a year on its "Sigint Enabling Project," which "actively engages the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs" to make them "exploitable."
It is unclear from the articles how often technology companies voluntarily agreed to allow covert access to their offerings through back doors and how often the NSA compelled them to do so through secret court orders.
NYT and ProPublica said they were asked not to publish their findings by intelligence officials who argued that their foreign targets might switch to newer forms of encryption or communications if the NSA tactics were revealed.
"Some specific facts" were removed, the New York Times said. The articles do not say which mainstream encryption systems have been effectively broken.
The undertaking, codenamed Bullrun, followed the abandonment in 1990s of a U.S. effort to force back doors into services through what was called the Clipper Chip.
Back doors in software or hardware allow for access that is typically unseen by the user.
Because the NSA has great expertise and is charged with protecting U.S. assets as well as spying electronically, it has been a frequent contributor to public processes for choosing security techniques. That could now come to a halt.
The disclosure that the NSA succeeded in subverting some unspecified processes for setting security standards is likely to enrage those who were willing to allow the defensive experts from the agency to participate in vetting proposals.
Previous disclosures by Snowden included an order from the Foreign Intelligence Surveillance Court, which meets in secret, compelling phone company Verizon Communications Inc to turn over all records showing which U.S. numbers called which.
A small seller of encrypted email services that Snowden used, Lavabit LLC, shut down last month rather than comply with secret order that it said would impact all of its users.
"Without Congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States," owner Ladar Levison wrote at the time.
Since then, some privacy activists gave pointed to language in the amended Foreign Intelligence Surveillance Act that requires recipients of U.S. demands to "immediately provide the government with all information, facilities, or assistance necessary to accomplish the acquisition" of targeted communications.
"Assistance" could be construed to include decryption, said Caspar Bowden, a former chief policy advisor to Microsoft. In other cases, decryption keys may be stolen. Some cyber attacks overseas attributed to the United States have used purloined SSL certificates to falsely authenticate malicious software as legitimate.
Thursday's stories are the first to be produced by the three-way partnership struck after the British government threatened the Guardian with legal action unless it destroyed copies of materials leaked by Snowden.
The Guardian did destroy computers in London containing the material, but also advised senior U.K. officials that copies of the documents had been sent to media outside Britain.
U.S. intelligence officials had no immediate comment on the stories.
UNLOCKING PRIVATE COMMUNICATIONS
Below are encryption tools the US National Security Agency has had some success in cracking, according to documents provided by Edward J Snowden describing the agency's code-breaking capabilities.
VPNs
Virtual Private Networks
Commonly used by businesses to allow employees to access work networks from outside the office, via an encrypted "tunnel" through a public network.
Encrypted chat
Available with chat programs like Adium or with software added to programs like AOL Instant Messenger, providing "end to end" encryption, in which the data cannot be decrypted at any point along the transfer (even by the messaging service).
SSH
Secure shell
For Linux and Mac operating system users, this is the standard way to gain access to a remote computer.
HTTPS
Hypertext Transfer Protocol Secure
This has long been a standard way to encrypt password and financial information when sending information from a computer to a server, and it is becoming more common with social media sites like Facebook and Twitter and Webmail services like Gmail. A URL that begins with "https://" and displays a small padlock icon designates a secured web page
TLS/SSL
Transport Layer Security/ Secure Sockets Layer
The most common way to secure information sent over the Internet (including Web browsing and e-mail) and internal servers. HTTPS is secured by applying TLS/SSL to a Web site.
Encrypted VoIP
Voice over Internet Protocol
Services like Microsoft's Skype and Apple's FaceTime allow users to make free, encrypted phone and video calls over the Internet. The documents suggest that the NSA is working with some VoIP services to obtain pre-encryption access to such messages.
Sources: Cisco; Microsoft; Electronic Frontier Foundation, NYT
The Guardian, The New York Times and journalistic nonprofit ProPublica reported on Thursday that the US intelligence agency used a variety of means, ranging from the insertion of "back doors" in popular tech products and services, to supercomputers, secret court orders and the manipulation of international processes for setting encryption standards.
The publications said the NSA and its British partner Government Communications Headquarters reported making strides against Secure Sockets Layer technology, which protects millions of websites beginning in "Https," and virtual private networks, which are common for remote office workers and for people seeking to obscure their locations.
Privacy advocates have succeeded in convincing Google Inc, Facebook Inc and other popular service providers to turn on SSL for all of their users, but the new disclosures suggest that the effort could be futile against the NSA.
The Times and ProPublica cited an intelligence document saying the NSA spends more than $250 million a year on its "Sigint Enabling Project," which "actively engages the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs" to make them "exploitable."
It is unclear from the articles how often technology companies voluntarily agreed to allow covert access to their offerings through back doors and how often the NSA compelled them to do so through secret court orders.
NYT and ProPublica said they were asked not to publish their findings by intelligence officials who argued that their foreign targets might switch to newer forms of encryption or communications if the NSA tactics were revealed.
"Some specific facts" were removed, the New York Times said. The articles do not say which mainstream encryption systems have been effectively broken.
The undertaking, codenamed Bullrun, followed the abandonment in 1990s of a U.S. effort to force back doors into services through what was called the Clipper Chip.
Back doors in software or hardware allow for access that is typically unseen by the user.
Because the NSA has great expertise and is charged with protecting U.S. assets as well as spying electronically, it has been a frequent contributor to public processes for choosing security techniques. That could now come to a halt.
The disclosure that the NSA succeeded in subverting some unspecified processes for setting security standards is likely to enrage those who were willing to allow the defensive experts from the agency to participate in vetting proposals.
Previous disclosures by Snowden included an order from the Foreign Intelligence Surveillance Court, which meets in secret, compelling phone company Verizon Communications Inc to turn over all records showing which U.S. numbers called which.
A small seller of encrypted email services that Snowden used, Lavabit LLC, shut down last month rather than comply with secret order that it said would impact all of its users.
"Without Congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States," owner Ladar Levison wrote at the time.
Since then, some privacy activists gave pointed to language in the amended Foreign Intelligence Surveillance Act that requires recipients of U.S. demands to "immediately provide the government with all information, facilities, or assistance necessary to accomplish the acquisition" of targeted communications.
"Assistance" could be construed to include decryption, said Caspar Bowden, a former chief policy advisor to Microsoft. In other cases, decryption keys may be stolen. Some cyber attacks overseas attributed to the United States have used purloined SSL certificates to falsely authenticate malicious software as legitimate.
Thursday's stories are the first to be produced by the three-way partnership struck after the British government threatened the Guardian with legal action unless it destroyed copies of materials leaked by Snowden.
The Guardian did destroy computers in London containing the material, but also advised senior U.K. officials that copies of the documents had been sent to media outside Britain.
U.S. intelligence officials had no immediate comment on the stories.
UNLOCKING PRIVATE COMMUNICATIONS
Below are encryption tools the US National Security Agency has had some success in cracking, according to documents provided by Edward J Snowden describing the agency's code-breaking capabilities.
VPNs
Virtual Private Networks
Commonly used by businesses to allow employees to access work networks from outside the office, via an encrypted "tunnel" through a public network.
Encrypted chat
Available with chat programs like Adium or with software added to programs like AOL Instant Messenger, providing "end to end" encryption, in which the data cannot be decrypted at any point along the transfer (even by the messaging service).
SSH
Secure shell
For Linux and Mac operating system users, this is the standard way to gain access to a remote computer.
HTTPS
Hypertext Transfer Protocol Secure
This has long been a standard way to encrypt password and financial information when sending information from a computer to a server, and it is becoming more common with social media sites like Facebook and Twitter and Webmail services like Gmail. A URL that begins with "https://" and displays a small padlock icon designates a secured web page
TLS/SSL
Transport Layer Security/ Secure Sockets Layer
The most common way to secure information sent over the Internet (including Web browsing and e-mail) and internal servers. HTTPS is secured by applying TLS/SSL to a Web site.
Encrypted VoIP
Voice over Internet Protocol
Services like Microsoft's Skype and Apple's FaceTime allow users to make free, encrypted phone and video calls over the Internet. The documents suggest that the NSA is working with some VoIP services to obtain pre-encryption access to such messages.
Sources: Cisco; Microsoft; Electronic Frontier Foundation, NYT