The US National Security Agency has secretly developed the ability to crack or circumvent commonplace internet encryption used to protect everything from email to financial transactions, according to media reports citing documents obtained by former NSA contractor Edward Snowden.
The Guardian, The New York Times and journalistic nonprofit ProPublica reported on Thursday that the US intelligence agency used a variety of means, ranging from the insertion of ‘back doors’ in popular tech products and services, to supercomputers, secret court orders and the manipulation of international processes for setting encryption standards.
The publications said NSA and its British partner Government Communications Headquarters (GCHQ) reported making strides against Secure Sockets Layer technology, which protects millions of websites beginning in “https”, and virtual private networks, which are common for remote office workers and for people seeking to obscure their locations.
Privacy advocates have succeeded in convincing Google, Facebook and other popular service providers to turn on SSL for all of their users, but the new disclosures suggest the effort could be futile against the NSA.
The Times and ProPublica cited an intelligence document saying NSA spends more than $250 million a year on its “Sigint Enabling Project”, which “actively engages the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable”.
It is unclear from the articles how often technology companies voluntarily agreed to allow covert access to their offerings through back doors and how often the NSA compelled them to do so through secret court orders. The New York Times and ProPublica said they were asked not to publish their findings by intelligence officials who argued their foreign targets might switch to newer forms of encryption or communications if the NSA tactics were revealed.
“Some specific facts” were removed, the New York Times said. The articles do not say which mainstream encryption systems have been effectively broken.
The undertaking, codenamed Bullrun, followed the abandonment in 1990s of a US effort to force back doors into services through what was called the Clipper Chip.
Back doors in software or hardware allow for access that is typically unseen by the user.
Because the NSA has great expertise and is charged with protecting US assets as well as spying electronically, it has been a frequent contributor to public processes for choosing security techniques. That could now come to a halt.
The disclosure that the NSA succeeded in subverting some unspecified processes for setting security standards is