Backed by the documents shared by NSA whistleblower Edward Snowden, they state that the US National Security agency has actively and for years now concentrated on thwarting or subverting encryption efforts via a number of ways, and that their endeavors have largely been successful.
"The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show," they claim.
"Many users assume — or have been assured by Internet companies — that their data is safe from prying eyes, including those of the government, and the NSA wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun."
They pointed out that after the NSA lost the very public dispute in 1994 about whether it should be allowed to fit a backdoor into all encryption, they decided they won't going to be stymied by this setback and opted to simply continued their efforts - this time in secret.
They did not concentrate on breaking encryption as much as making its use irrelevant. They did start using faster and faster supercomputers for breaking cryptographic keys, but they also, among other things:
- Secured the collaboration - either voluntary or legally forced - from US and foreign Internet and telecom companies to gain the needed access to the communications they wanted to review before they were encrypted. Alternatively, when neither of those two approaches worked, they would steal the companies' encryption keys or secretly alter their products to contain a backdoor only known to the NSA.
- Hacked into computers / endpoints before the messages were encrypted.
- Influenced the US National Institute of Standards and Technology (NIST) and the International Organization for Standardization to adopt an encryption standard that has been made by the NSA to include a weakness known only to them.
There are many more details about these and other efforts in the original article, and the one published by The Guardian, and I urge you to peruse them. You'll likely be shocked at the things you thought to be safe (such as SSL, VPN, or 4G), but are actually not.
Matthew Green, cryptographer and research professor at Johns Hopkins University, has an interesting blog post with speculations about which code, hardware, and standards were weakened, and which people were involved.
On the other hand, Bruce Schneier, another well-known cryptographer and computer security expert as well as a privacy advocate, is working with the Guardian on the NSA stories and has the required insight into the details to offer a set of advice that can help any of us keep out online communication and actions secure - or as secure as they can be.
"The NSA has turned the fabric of the internet into a vast surveillance platform, but they are not magical. They're limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible," he pointed out. "Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That's how you can remain secure even in the face of the NSA."
It's interesting to note that both the NYT and ProPublica have been asked by US intelligence officials not to publish this last article, saying that "it might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read."
However, both publications have declined.
"The story, we believe, is an important one. It shows that the expectations of millions of Internet users regarding the privacy of their electronic communications are mistaken," ProPublica's editor-in-chief and its director pointed out.
"These expectations guide the practices of private individuals and businesses, most of them innocent of any wrongdoing. The potential for abuse of such extraordinary capabilities for surveillance, including for political purposes, is considerable. The government insists it has put in place checks and balances to limit misuses of this technology. But the question of whether they are effective is far from resolved and is an issue that can only be debated by the people and their elected representatives if the basic facts are revealed."
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.