Edward Snowden has released more documents about the National Security Agency’s (NSA) ability to break encryption, and it’s starting to look like nothing online is secure. Many of the previous revelations about NSA spying have been concerned with communications such as email or phone calls, but encryption is vital for international banking and commerce as well as personal privacy, and according to a report from Nicole Perlroth, Jeff Larson, and Scott Shane at The New York Times, it might not really work.
NSA’s fight to eavesdrop
Back in the 1990s, the NSA fought for the right to put back doors into different encryption products that would allow it to eavesdrop without much effort. In the end, they didn’t get what they want from Congress, so according to Snowden’s documents, they did the same thing on their own behind closed doors.
The problem doesn’t really lie with encryption itself, but with the way that it’s often implemented. As security expert Bruce Schneier says on his blog, “It’s very probable that the NSA has newer techniques that remain undiscovered in academia. Even so, such techniques are unlikely to result in a practical attack that can break actual encrypted plaintext.”
Weak security protocols targeted
The NSA seems to be mostly attacking weak security protocols. For instance, a website can do everything under the sun to make sure that an email account is secure, but if a user chooses the password “secret” it is extremely easy to hack. Similarly, if a user chooses a completely random string of letters, digits, and symbols, but writes the password down where it can easily be seen, someone can simply copy the password and break in. Both of these are examples of failures in protocol that have nothing to do with encryption itself.
While the weaknesses that the NSA exploits are a lot more complex, they are similar in spirit. Encryption still works, but that doesn’t mean it’s always implemented correctly.
NSA pressuring companies
But the NSA isn’t just looking for weaknesses; the documents allege that the organization is actively putting them in place. This is partially through pressuring companies to give master keys to the NSA that can be used to decrypt communications, or by forcing them to install a ‘back door’ to bypass the encryption entirely.
There are still some good options for keeping your information secure, including Pretty Good Privacy (PGP), as Danny Yadron reports for The Wall Street Journal, but maintaining privacy online is proving to be even more difficult than the cynics had imagined.