Michael Winter, USA TODAY
U.S. and British intelligence agencies have cracked the encryption designed to provide online privacy and security, documents leaked by former intelligence analyst Edward Snowden show.
In a clandestine, decade-long effort to defeat digital scrambling, the National Security Agency, along with its British counterpart, the Government Communications Headquarters (GCHQ), have used supercomputers to crack encryption codes through "brute force" and have inserted secret "back doors" into software with the help of technology companies, The Guardian,The New York Times and ProPublica reported Thursday.
The NSA has also maintained control over international encryption standards.
As the Times points out, encryption "guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world."
The American Civil Liberties Union immediately called the NSA's efforts to defeat encryption "recklessly shortsighted'' and are making the internet less secure for all.
In a statement, the ACLU said the actions will "further erode not only the United States' reputation as a global champion of civil liberties and privacy but the economic competitiveness of its largest companies.''
"The encryption technologies that the NSA has exploited to enable its secret dragnet surveillance are the same technologies that protect our most sensitive information, including medical records, financial transactions, and commercial secrets," Christopher Soghoian, principal technologist of the ACLU's Speech, Privacy and Technology Project, said. "Even as the NSA demands more powers to invade our privacy in the name of cybersecurity, it is making the internet less secure and exposing us to criminal hacking, foreign espionage, and unlawful surveillance.''
The spy agencies have focused on compromising encryption found in Secure Sockets Layer (SSL), virtual private networks (VPNs) and 4G smartphones. The NSA spent $255 million this year on the program, which aims to "covertly influence" software designs and "insert vulnerabilities into commercial encryption systems" that would be known only the agency.
The documents leaked by Snowden, who has been granted temporary asylum in Russia, do not name specific companies or encryption technologies, and refer to customers and users as "adversaries."
The NSA calls its decryption efforts the "price of admission for the U.S. to maintain unrestricted access to and use of cyberspace."
A 2010 memo describing an NSA briefing to British agents about the secret hacking said, "For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies. Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable."
The GCHQ is working to penetrate encrypted traffic on what it called the "big four" service providers - Google, Yahoo, Facebook and Microsoft's Hotmail.
One document shows that by 2012, the British agency had developed "new access opportunities" into Google's systems.
"The risk is that when you build a back door into systems, you're not the only one to exploit it," said Matthew Green, a cryptography researcher at Johns Hopkins University. "Those back doors could work against U.S. communications, too."
The NSA says code-breaking is fundamental to its mission of protecting national security by deciphering communications from terrorists, spies or other U.S. adversaries.
During the 1990s, the agency fought unsuccessfully to have a secret government portal included in all encryption protocols.
Experts and critics say that while "back doors" may help intelligence gathering, they weaken the Web's overall security and trust, and could be used by others against U.S. communications.
"The risk is that when you build a back door into systems, you're not the only one to exploit it," Matthew . Green, a cryptography researcher at Johns Hopkins University, told the Times.
The Times and ProPublica said intelligence officials asked them not to publish the article, arguing that the revelations "might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read."
After removing "some specific facts," they chose to publish "because of the value of a public debate about government actions that weaken the most powerful tools for protecting the privacy of Americans and others."