The revelations this week by whistle-blower Edward Snowden (through documents provided to the Guardian, the New York Times and Propublica) prove that the NSA, working with its British counterpart The Government Communications Headquarters(or GCHQ), has conducted an intentional and largely sucessful campaign to destroy all privacy on the Internet.
These are the most damning indictments of the federal government’s spying, demonstrating that its efforts are not only unconstitutional and destructive but criminal and fraudulent.
According to the Propublica article, refering to the NSA: “The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.”
The three publications’ reportage outlines a huge, expensive and multi-faceted program designed to break all “encryption” in on-line communications (the Guardian’s package of most coverage is superb). The information gleaned is then stored and, using search and analysis methods previously reported on, it’s sorted and some of it read.
Two of the most egregious and frightening aspects of the policies demand particular attention and explanation because they directly attack protections most Internet users take for granted.
With a conscious attempt to defeat Secure Socket Layers and encryption protocols, the government has attacked the very foundations of Internet communications. We have come to trust the privacy and security of the Internet when those features are offered, in part because they’re offered. Now we find that they don’t exist.
What it all means is that the forms you use for credit card purchases, bank information, membership applications, website email — the forms you use all the time believing your information is protected — may well be carrying code that will allow the NSA to get your information. What’s more, the encryption programs many Internet users employ to keep their communications, including email, private may carry “back door” code that will allow anyone with the proper program to decrypt and read them.
The government programs not only attack the functionality of privacy but completely destroy any rational confidence people can have in the privacy of their day to day communications. They also smash confidence in the government and the corporations that offer these protections because the certainty of privacy has been offered with the apparent full knowledge by these companies that there is no such certainty.
These latest revelations were delivered in about 50,000 documents Snowden released to news outlets this week. While they broaden the information he has delivered to the world about government spying, these revelations add a darker stroke to the drawing. Up to now, Snowden’s information has demonstrated how governments and compliant corporations have facilitated the capture, storage and analysis of Internet communications and our government has answered those charges with a PR-choreography designed to divert attention from the real issue at stake: privacy and the Constitution. It has said, all along, that its intent isn’t to assault our privacy but to catch people who would do us harm.
These revelations demonstrate that the intent of government spying has been not only to assault privacy but to make it impossible to achieve. They rip the locked doors off all Internet privacy and make the application of Constitutional rights impossible.
Nowhere is this clearer than with the attack on Secure Socket Layer protocol.
When you go to a website to purchase something or fill out a form with your personal information, you’ll notice a different kind of website address. Rather than the “http:” that urls usually start with, you’ll see “https:”. This means the page is secure and that, if it’s complying with Internet standards, the website has installed a certificate which proves it is the site it says it is owned by the people who claim to own it. Any encryption of data between site and browser is now “trusted”. So, you are implicitly told, you can enter a credit card number and nobody else can read it. It was encrypted the moment it was entered and you pushed “submit” and the information you exchange with the site is totally protect in a “secure tunnel” (which means that nobody can even see it in any form); the people who own the site are vouching for that.
The Internet offers this assurance by maintaining “standards” for this transaction. About 40 companies world-wide offer certificates (idioscyncratic pieces of code that are to be installed on a server) and, by default, browsers recognize certificates for those companies. That’s the standard. When you visit such a webpage, your browser and the server conduct a complicated series of communications — called a “handshake” — that verifies the certificate, the identity of its owner and the company that wrote the certificate being used. This is among the most sacred trusts in Internet technology. If the certificate isn’t authentic or up to date, the “server” will return an error.
For several years now, the evidence suggests that the NSA has been working with some of those certificate companies to allow it to “pose” as a trusted authority and answer your handshake. When your computer asks for an SSL certificate, the NSA’s code offers proof that the site is actually secure and owned by the certificate holder. At that point, it can capture all data you enter into that page as it goes through a secure tunnel to which the NSA now has access. This is called a “man in the middle” attack. That data is stored — for a few days, according to these documents — and then de-crypted with one of the programs the NSA has spent hundreds of millions of dollars to develop. The agency can then search through the data (probably all the data on the Internet) for “suspicious” terms and phrases to choose which files it will investigate more carefully.
SSL (or TLS as it is now known) protection is also provided to many forms of email and other on-line protocols such as SSH: a protocol that gives users, most often technologists and server administrators, the ability to conduct secure direct communications with a server via “command line” programs. That kind of security is essential to the operations, by administrators, of the entire Internet. No decent administrator will enter a command line program without it because, if someone can eavesdrop on what the administrator is writing, they can get the administrator’s passwords, log into the server and do what they want with everything stored there.
Everyone using the Internet uses secure communications at some point. It’s so ubiquitous that most people don’t even realize it. It is a central functionality of the Internet. Effectively, it doesn’t exist anymore.
To demonstate how broad these intrusions are: when the government got wind of what Snowden was about to reveal, NSA officials immediately contacted both the Times and Pro-Publica to ask that they not publish the information. After making a few changes to protect what were clearly (to them) security matters, the publications went ahead and did their duty. But the fact that the contact was made reflects the depth and seriousness of what Snowden released.
It gets worse. To argue that you have to lie about secure communications to catch a guy committing a crime is absurdly Orwellian and that’s what the government is going to argue. But it has no argument to defend a second atrocity it is committing. Our government and the British government has been “cooperating” with companies that actually produce encryption programs to insert code that will allow government officials to decrypt all communications.
“According to an intelligence budget document leaked by Mr. Snowden,” the New York Times reported, “the N.S.A. spends more than $250 million a year on its Sigint Enabling Project, which ‘actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs’ to make them ‘exploitable.’ Sigint is the acronym for signals intelligence, the technical term for electronic eavesdropping.”
Here too, we don’t know which “IT industries” are involved but there is little doubt that they include major purveyors of security software. In fact, the entire Internet system for developing encryption and privacy standards has been “infiltrated” by the NSA since at least 2006. During meetings of two “standards” authorities — the U.S. National Institute of Standards and Technology and later the International Organization for Standardization — the NSA pushed for standards that included vulnerabilities. In other words, it surreptitiously fooled agencies whose purpose is to protect privacy into authorizing computer privacy code that had holes in it through which the NSA could spy.
“Even agency programs ostensibly intended to guard American communications are sometimes used to weaken protections,” the New York Times piece reads. “The N.S.A.’s Commercial Solutions Center, for instance, invites the makers of encryption technologies to present their products to the agency with the goal of improving American cybersecurity. But a top-secret N.S.A. document suggests that the agency’s hacking division uses that same program to develop and ‘leverage sensitive, cooperative relationships with specific industry partners’ to insert vulnerabilities into Internet security products.”
This is pure criminal fraud at its most despicable.
It’s important to keep in mind that one of the goals of this attack on encryption is to get us to stop using it and that would be a huge mistake. For one thing, while everything is captured, it’s not necessarily the case that your information is being read. Besides, the fact that someone is listening should never stop us from talking. We need to talk if we’re going to figure out how to stop them from listening.
Most important, however, is the Snowden reminder that good encryption can and will still work. For example, if you use encryption programs that use the Open PGP protocol (a free and open source answer to the more popular proprietary Pretty Good Privacy protocol) your email is much more protected from decyption — Open PGP is not owned or controlled by any one company so the government can’t make “deals”.
Using Free and Open Source Software (and FOSS supporting providers) helps free us from the corporate control that is the lynchpin of this government surveillance strategy. Using good passwords and insisting (from providers) that the encryption be solid is also now a necessity.
The attack on privacy is illegal and unconstitutional. There are no court orders involved because the intrusion is so basic that it affects everybody using the Internet. But it’s also fraudulent because you are told by the people who provide secure layers for websites and email that their protocols make these communications safe and private. You’re told by people who produce and sell encryption protection software that using their products assures your privacy. Some of these people lied; they committed a destructive and outrageous fraud.
The casualty of these efforts is not only the privacy that the Constitution affords us (vitally important to any democracy) but the trust we have all had in the Internet: the belief that we can protect our privacy by using the tools available to us for that purpose.
Our government, colluding with other governments and corporations world-wide, has smashed that trust and, given the importance of the Internet to our lives as people and activists, that is the most damaging crime.
Alfredo Lopez writes about technology issues for This Can’t Be Happening!