The National Security Administration (NSA) has cracked encryption on data thought to be secure, sometimes with the help of tech companies both in America and abroad. This latest round of revelations comes via a coordinated report from ProPublica, the Guardian and the New York Times using files revealed by NSA leaker Edward Snowden.
The key revelations in this report are outlined in four points:
- The NSA has secretly and successfully worked to break many types of encryption, the widely used technology that is supposed to make it impossible to read intercepted communications.
- Referring to the NSA's efforts, a 2010 British document stated: "Vast amounts of encrypted Internet data are now exploitable." Another British memo said: "Those not already briefed were gobsmacked!"
- The NSA has worked with American and foreign tech companies to introduce weaknesses into commercial encryption products, allowing backdoor access to data that users believe is secure.
- The NSA has deliberately weakened the international encryption standards adopted by developers around the globe.
The third and fourth point are crucial: the NSA is not in a game of cat and mouse with the companies we trust to encrypt our data. The cat and mouse are working together, so that your data can be corralled by the NSA whenever it wants. In addition to working with individual companies, the NSA has worked weaknesses into international standards without explicitly informing anyone what they were up to. An NSA-created backdoor was discovered by Microsoft programmers in 2007:
“Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort ‘a challenge in finesse.’
“Eventually, N.S.A. became the sole editor,” the memo says.
It is in our personal interest and an important social statement to both speak out against these practices, and to make it hard for the NSA where we can. It is beyond the scope of this post to explain how to do that, but some internet research will reveal any number of suggestions on how to encode your communications.