The U.S. National Security Agency has secretly developed the ability to crack or circumvent commonplace Internet encryption used to protect everything from email to financial transactions, according to media reports citing documents obtained by former NSA contractor Edward Snowden.
The Guardian, The New York Times and journalistic nonprofit ProPublica reported on Thursday that the U.S. intelligence agency used a variety of means, ranging from the insertion of “back doors” in popular tech products and services, to supercomputers, secret court orders and the manipulation of international processes for setting encryption standards.
The publications said the NSA and its British partner Government Communications Headquarters (GCHQ) reported making strides against Secure Sockets Layer technology, which protects millions of websites beginning in “HTTPS,” and virtual private networks, which are common for remote office workers and for people seeking to obscure their locations.
Privacy advocates have succeeded in convincing Google Inc, Facebook Inc and other popular service providers to turn on SSL for all of their users, but the new disclosures suggest that the effort could be futile against the NSA.
The Times and ProPublica cited an intelligence document saying the NSA spends more than $250 million a year on its “Sigint Enabling Project,” which “actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable.”
It is unclear from the articles how often technology companies voluntarily agreed to allow covert access to their offerings through back doors and how often the NSA compelled them to do so through secret court orders.
The New York Times and ProPublica said they were asked not to publish their findings by intelligence officials who argued that their foreign targets might switch to newer forms of encryption or communications if the NSA tactics were revealed.
“Some specific facts” were removed, the New York Times said. The articles do not say which mainstream encryption systems have been effectively broken.
The undertaking, codenamed Bullrun, followed the abandonment in 1990s of a U.S. effort to force back doors into services through what was called the Clipper Chip.
Back doors in software or hardware allow for access that is typically unseen by the user.
Because the NSA has great expertise and is charged with protecting U.S. assets as well as spying electronically, it has been a frequent contributor to public processes for choosing security techniques. That could now come to a halt.
The disclosure that the NSA succeeded in subverting some unspecified processes for setting security standards is likely to enrage those who were willing to allow the defensive experts from the agency to participate in vetting proposals.
Previous disclosures by Snowden included an order from the Foreign Intelligence Surveillance Court, which meets in secret, compelling phone company Verizon Communications Inc to turn over all records showing which U.S. numbers called which.
A small seller of encrypted email services that Snowden used, Lavabit LLC, shut down last month rather than comply with secret order that it said would impact all of its users.
“Without Congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States,” owner Ladar Levison wrote at the time.
Since then, some privacy activists gave pointed to language in the amended Foreign Intelligence Surveillance Act that requires recipients of U.S. demands to “immediately provide the government with all information, facilities, or assistance necessary to accomplish the acquisition” of targeted communications.
“Assistance” could be construed to include decryption, said Caspar Bowden, a former chief policy advisor to Microsoft. In other cases, decryption keys may be stolen. Some cyber attacks overseas attributed to the United States have used purloined SSL certificates to falsely authenticate malicious software as legitimate.
Thursday’s stories are the first to be produced by the three-way partnership struck after the British government threatened the Guardian with legal action unless it destroyed copies of materials leaked by Snowden.
The Guardian did destroy computers in London containing the material, but also advised senior U.K. officials that copies of the documents had been sent to media outside Britain.
U.S. intelligence officials had no immediate comment on the stories.
(Reporting by Joseph Menn in San Francisco; Additional reporting by Mark Hosenball in Washington; Editing by Tim Dobbyn)