Secret documents reveal NSA spying on encrypted internet communications


1984, by George Orwell.If you haven’t read the articles in the New York Times or The Guardian today, you probably should.

If true, it’s one of the most shocking things you will ever read about the internet.

In a nutshell, documents obtained by The Guardian have revealed that the NSA works with technology companies to “covertly influence” product designs, helping them to collect “vast amounts” of encrypted data.

According to the documents provided by whistleblower Edward Snowden, encryption tools that the NSA has had some success in hacking include:

  • VPNs (Virtual Private Networks), commonly used by businesses to allow workers to access their office networks remotely.
  • Encrypted chat programs which provide end-to-end encryption. Such systems should not allow data to be decrypted at any point during the message transfer.
  • HTTPS - the long-standing method of encrypting data (such as passwords and financial information) between a web browser and a secure website, such as your online bank, your webmail or social networking site. If you’ve ever visited a website whose URL begins https:// and displays a small padlock, you’re using HTTPS to secure your communications.
  • TLS/SSL (Transport Layer Security / Secure Sockets Layer - used by HTTPS.
  • Encrypted VoIP (Internet telephony) services. Skype and Apple FaceTime are examples of free services that offer encrypted phone and video calls. The leaked documents suggest that the NSA is working with some VoIP services to obtain access to messages before they are encrypted.

The documents reveal the NSA was covertly working with technology firms to not only weaken encryption but also to introduce exploitable backdoors that could be used for surveillance

Perhaps most shockingly of all, the NSA appears to have been promoting deliberately weakened or vulnerable cryptography, and influencing standards.

The Guardian specifically highlights the National Institute of Standards and Technology (NIST) for a standard they published in 2006.

Part of leaked document

  • Insert vulnerabilities into commercial encryption systems, IT systems, network, and endpoint communications devices used by targets.
  • Influence policies, standards and specifications for commercial public key technologies.
  • The story is very important, and many will find it highly disturbing.

    If any weakness is inserted into the technologies used to protect the privacy of many millions of internet users it could be exploited not just by law enforcement and surveillance agencies in the USA or United Kingdom, but also foreign nations and online criminals. A backdoor in a security systems fundamentally compromises the security of all users.

    Quote from George Orwell's 1984

    We’re used to hearing stories of abusive surveillance by the likes of China, Russia, and others… but it appears that the United States and UK have betrayed all users of the internet as well, by undermining technologies that are trusted billions of times every day online.

    Further reading:

    NSA and GCHQ unlock privacy and security on the internet - The Guardian.
    NSA Able to Foil Basic Safeguards of Privacy on Web - New York Times.
    Revealed: The NSA’s Secret Campaign to Crack, Undermine Internet Security - ProPublica.
    How to remain secure against NSA surveillance - Bruce Schneier, The Guardian.

    Tags: , , , , , , , ,

    Share this article:

       Join thousands of others and sign up to our free "GCHQ" newsletter.

    Smashing Security podcast
    Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

    "It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

    Latest episodes:
    Listen on Apple Podcasts Listen on Google Podcasts

    , , , , , , , ,

    3 Responses

    1. Dave Ewart

      September 6, 2013 at 9:48 am #

      Typo alert: “If you’ve ever visited a website whose URL begins http://” should probably finish ‘https’, not ‘http’.

    2. Spryte

      September 7, 2013 at 4:02 am #

      Disturbing… somewhat.

      Surprising… not in the least.

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.