Major revelations on the National Security Agency and British intelligence agency, GCHQ’s capabilities to crack encryption were revealed yesterday by The GuardianNew York Times and ProPublica. The revelations were from documents provided by former NSA contractor and whistleblower Edward Snowden.
The stories were the first to appear from a partnership that formed in response to actions by the British government against The Guardian. The government detained Guardian journalist Glenn Greenwald’s partner, David Miranda, at Heathrow Airport for nearly nine hours under a terrorism law in August. The authorities seized electronics equipment Miranda was carrying, which contained documents for future news stories from journalist Laura Poitras. [A British court recently granted the government the authority to investigate whether Miranda committed "crimes related to terrorism and breaches of the Official Secrets Act," a further attack on press freedom.]
The British government also sent a message to The Guardian to halt reporting on documents from Snowden when it forced the news organization to symbolically destroy hard drives in the basement of the media organization’s office. The drives were destroyed, even though they had no files on them, as a compliant gesture to the British government because the government could have threatened legal action and shut down reporting on files related to GCHQ and the NSA entirely.
This is apparently a part of what the British government—and presumably the United States government—did not want to become public and why they felt the need to cast a chill on the news gathering process.
According to The Guardian, "A 10-year NSA program against encryption technologies made a breakthrough in 2010 which made "vast amounts" of data collected through internet cable taps newly 'exploitable.’"
The NSA has worked with technology companies to "covertly influence" the designs of products in order to ensure the agency can maintain access to communications. This means, as the Times reported, the NSA has introduced "weaknesses into commercial encryption products, allowing backdoor access to data that users believe is secure." The NSA has also "deliberately weakened international encryption standards adopted by developers around the globe."
The Guardian further reported that, "A GCHQ team has been working to develop ways into encrypted traffic on the 'big four’ service providers, named as Hotmail, Google, Yahoo and Facebook."
"None of the companies involved in such partnerships," with companies to gain access to "encrypted traffic." Yet, the goal of the NSA is to insert "design changes" that "make the systems in question exploitable through [signals intelligence] collection…with foreknowledge of the modification," while at the same time keeping the systems’ security "intact" for "the consumer and other adversaries," according to a top secret 2013 budget request for "Sigint [signals intelligence] enabling."
But, despite revelations, it does not necessarily mean the NSA can get around all encryption. The Times report indicates the NSA has engaged in hacking to "snare messages before they were encrypted." Additionally, "In some cases, companies say they were coerced by the government into handing over their master encryption keys or building in a back door."
The Times also points out that the NSA’s "most intensive efforts" have involved encryption, which is "in universal use in the United States." This encryption includes Secure Sockets Layer or SSL, virtual private networks (VPN), and protection on fourth-generation or 4G smartphones. "Many Americans, often without realizing it," as the Times notes, "rely on such protection every time they send an email, buy something online, consult with colleagues via their company’s computer network or use a phone or a tablet on a 4G network."
Previously, the government has complained about having a "going dark" problem—how new technology was making it difficult to intercept communications. The revelations from Snowden show the NSA has actively developed methods for spying that make previous statements by government officials about needing more access to communications for interception questionable, especially since it suggests while seeking more spying powers from Congress the NSA was covertly engaged in the exact spying operations they wanted permission to carry out.
A classification guide provided by Snowden shows how crucial secrecy around this is (or was) to the NSA. That the NSA "makes cryptographic modifications to commercial or indigenous cryptographic information security devices or systems in order to make them exploitable," is considered top secret at a minimum. That the NSA "successfully exploits cryptographic components of commercial or indigenous cryptographic information security devices or systems when the device or system is specified," is considered top secret at a minimum" And that the NSA "obtains cryptographic details of commercial cryptographic information security systems through industry relationships is considered top secret at a minimum."
Efforts to defeat encryption were named after major civil war battles. NSA named an effort "Project Bullrun," after one of the first major battles in the US Civil War. GCHQ named an effort "Project Edgehill," after a battle in the English Civil War. Those involved in "Project Bullrun" were advised not to "ask about or speculate on sources or methods underpinning BULLRUN successes," according to a top secret slide.
The revelations show the NSA and GCHQ have engaged in a conspiracy against Internet users worldwide. This is not about targeting terrorists or protecting systems in the United States from malicious actors but rather about total domination in cyberspace so there is nothing the NSA or GCHQ is not allowed to know.
As noted by the Times, "Intelligence officials asked The Times and ProPublica not to publish this article, saying it might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read. The news organizations removed some specific facts but decided to publish the article because of the value of a public debate about government actions that weaken the most powerful privacy tools."
That "foreign targets" or "terrorists" would use new forms of encryption or communication has been the boogeyman trotted out by named and unnamed US government officials since documents from Snowden began to be published. It has been nothing more than propaganda because, clearly, as evidenced by the Obama administration’s ability to pick up chatter among al Qaeda leaders and Iranian officials and militants, intelligence agencies are still able to detect alleged, perceived or potential threats to the United States.
ProPublica published a robust defense of the decision to publish, which is an essential read for anyone who doubts the significance of this important act of journalism:
The story, we believe, is an important one. It shows that the expectations of millions of Internet users regarding the privacy of their electronic communications are mistaken. These expectations guide the practices of private individuals and businesses, most of them innocent of any wrongdoing. The potential for abuse of such extraordinary capabilities for surveillance, including for political purposes, is considerable. The government insists it has put in place checks and balances to limit misuses of this technology. But the question of whether they are effective is far from resolved and is an issue that can only be debated by the people and their elected representatives if the basic facts are revealed.
Also, in addressing the notion that this story should not have been published because "enemies" will be able to change their tactics and evade detection by US intelligence agencies:
…Suppose for a moment that the U.S. government had secretly developed and deployed an ability to read individuals’ minds. Such a capability would present the greatest possible invasion of personal privacy. And just as surely, it would be an enormously valuable weapon in the fight against terrorism.
Continuing with this analogy, some might say that because of its value as an intelligence tool, the existence of the mind-reading program should never be revealed. We do not agree. In our view, such a capability in the hands of the government would pose an overwhelming threat to civil liberties. The capability would not necessarily have to be banned in all circumstances. But we believe it would need to be discussed, and safeguards developed for its use. For that to happen, it would have to be known…
What is contained in the documents from Snowden is clear evidence of an unchecked surveillance state that threatens the liberty of citizens not just in America but around the world. There is a duty amongst journalists to inform citizens of what these intelligence agencies are doing and what powers they have and think they should have to invade privacy, whenever they deem it necessary.
How the NSA and GCHQ have violated and undermined the development of encryption technology and standards—along with the previous evidence of NSA abuse of the PATRIOT Act through bulk data collection of citizens’ phone records—is so clearly deserving of public attention. Anyone in government who has more information along the lines of what Snowden has exposed should feel a compelling obligation to come forward and share what they are seeing.
Bruce Schneier, who writes about security and technology and is working on NSA stories for The Guardian, declared yesterday:
…[W]e should expose. If you do not have a security clearance, and if you have not received a National Security Letter, you are not bound by a federal confidentially requirements or a gag order. If you have been contacted by the NSA to subvert a product or protocol, you need to come forward with your story. Your employer obligations don’t cover illegal or unethical activity. If you work with classified data and are truly brave, expose what you know. We need whistleblowers.
We need to know how exactly how the NSA and other agencies are subverting routers, switches, the internet backbone, encryption technologies and cloud systems. I already have five stories from people like you, and I’ve just started collecting. I want 50. There’s safety in numbers, and this form of civil disobedience is the moral thing to do.
Indeed, while it may be frightening to think that no matter what you do to your communications there may be some way the government can get into your communications and see what you would like to keep private, there is a profound reality in this moment that people are realizing the true extent of power that has coalesced in the hands of the national security state apparatuses of both the United States and the United Kingdom.
A moment of awakening has been taking place and will continue to take place. Whistleblowers like Snowden will seek out the journalists, who will not sell them out to government agents. Journalists like Glenn Greenwald will publish because they know instinctively this is information the public has a right to know—and that is evidenced by the pressure which the US and UK governments are willing to apply to interfere with or diminish the impact of publication. Media organizations, both establishment and new media, will embrace muckraking and defend their right to publish.
Reflexively, government officials and their most loyal apologists will argue this will help "enemies" or endanger security. They’ll continue to suggest this is what intelligence agencies do—seek total control of communications and transmissions of all data and information. But that is because they are afraid and all they can come up with is the last refuge they have: denial and fear.
Fear campaigns, thus far, have been attempted, but they have not worked. The majority of Americans and the world still consider Snowden to be a whistleblower. Efforts to downplay or deny the significance of revelations haven’t worked either; thousands of people throughout the US have protested in the streets to reclaim their privacy.
This should empower other individuals with information of abuses and criminal misconduct to come forward because citizens are paying attention and will pay attention to the next person that puts their livelihood and future at risk like Snowden did.
Photo by Chris Dlugosz under Creative Commons license