The latest revelations about the NSA’s ability to undermine most encryption used online dwarf anything we have learned previously. What is worse, the NSA has worked to insert weaknesses into products — backdoors.
the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.
The agencies, the documents reveal, have adopted a battery of methods in their systematic and ongoing assault on what they see as one of the biggest threats to their ability to access huge swathes of internet traffic – “the use of ubiquitous encryption across the internet”.
Those methods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with “brute force”, and – the most closely guarded secret of all – collaboration with technology companies and internet service providers themselves.
Through these covert partnerships, the agencies have inserted secret vulnerabilities – known as backdoors or trapdoors – into commercial encryption software.
It’s everything, everything that Cypherpunks ever muttered about over their beer.
This is the secret that likely explains why the Obama and Cameron administrations were willing to do almost anything to try to get Snowden, the reporters he leaked to, and the anyone who touched their data.
This is the nuclear winter of data security.
What do we do?
I used to say, we don’t really care if the NSA is reading our traffic, because if they are, the secret is so valuable they won’t waste it on anything but the most important national security matters. The Snowden revelations suggest that wasn’t completely right — there was some information sharing with civilian domestic law enforcement, although it was obfuscated in ways that undermined the constitutional guarantee of the right to confront witnesses against you. More importantly, the fact of the Snowden revelations mean that the cat is out of the bag, so the disincentive to use the information will be greatly reduced.
Bruce Schneier has given this some thought — he had an advance look at the documents — and he says that the IETF and other engineers need to re-engineer the internet to make it safer from surveillance. Meanwhile, there are things we can do individually.
For now, however, it is not hyperbole to say, as Schneier does, that “[b]y subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract.” It’s going to be tough, hard work to rebuild the Internet, and even harder work afterwards to rebuild trust in systems not to mention both public and private institutions.
Are we up to either job?