NSA Online Spying? You Can Avoid It ... For Now
In the wake of recent revelations that the U.S. National Security Agency has circumvented or cracked much of the encryption technology that protects users' online confidentiality, it might seem that online confidentiality is dead.
Security and privacy experts, however, say that isn't true -- at least not yet.
The Guardian, the New York Times and ProPublica all reported last week that everything from email and online chats to financial transactions and medical records was not safe from the NSA's prying eyes -- based on documents leaked by former NSA contractor Edward J. Snowden.
The agency has engaged in a multi-billion-dollar campaign over the last 13 years, said the reports, to conquer the safeguards that scramble digital information for privacy and security purposes. The news agencies reported that NSA's methods supposedly range from developing super-fast computers to crack codes to covertly using its influence to introduce intentional flaws into the encryption standards followed by hardware and software developers, which the agency can then exploit.
But while the NSA's eavesdroppers have chipped away at some of the privacy safeguards that Internet users take for granted, there are still encryption technologies that they probably can't yet defeat.
Moreover, even less than state-of-the-art encryption still makes it sufficiently difficult and time-consuming for code-breakers to decipher messages that they can't conduct "dragnet" searches, in which they would sift through millions of users' emails, calls or chats in search of some word or phrase.
"Think of encryption as being like a safe," explained Ashkan Soltani, an encryption expert who consults with the Electronic Privacy Information Center, a Washington, D.C.-based watchdog group. "When you buy a safe, it's rated based upon the number of hours it would take an expert safe-cracker to break in. So you can buy a 5-hour safe, or a 30-hour safe, depending upon how much security you think you need."
Similarly, he explains, an encryption software developer can lengthen the key -- the sequence of numbers that unlocks the message -- or make the algorithms in the program more complex.
To follow Soltani's metaphor, the NSA has long wanted to be able to flip a switch and open all of the nation's safes at once. In the 1990s, according to news reports, the agency sought to compel encryption software makers to include a universal backdoor key, that would enable it to unlock anyone's communications. When NSA failed to get that power, it then started trying to find ways to get around encryption systems.
One approach was to beef up the agency's computing power. "A 2-kilobyte encryption key was designed to take 15 years for a computer to crack," Soltani explained. "But with advances in supercomputing, some of that protection goes away."
But NSA seems to have relied more heavily upon guile than muscle. The Snowden documents indicate that the agency used its influence to plant subtle flaws in the technical standards used by the encryption industry.
Good try, but a ski mask offers little protection from online scrutiny.Angel Manuel Herrero, iStockphoto
"The safe might be rated 30 hours if you try to drill through the front door," Soltani explained. "But the NSA might know that there's a secret weakness in the side wall that only takes six hours to get through."
Even with that edge, experts say, the NSA still has to put enough effort into cracking a particular email or encrypted phone call that it probably remains impractical for the agency to spy on vast numbers of people at once.
"Encryption acts as a sort of friction," said Christopher Soghoian, a computer security expert at the American Civil Liberties Union. "It slows down the government. If it takes them a day to crack the encryption on an email, they won't be able to do it for the entire U.S. population."
Additionally, there are indications that the government still hasn't figured a way around every encryption program. In an online chat in June, Snowden himself advised Internet users that "properly implemented strong crypto systems are one of the few things you can rely on."
Phil Zimmermann, founder Pretty Good Privacy (PGP), a popular encryption system now owned by Symantec, told the Washington Post that he's confident that the NSA hasn't yet beaten the program.
"The fact that they use PGP for government users indicates that they haven't broken it," he said. "Otherwise they'd have stopped using it."
If there's a silver lining to the revelations about the NSA's anti-encryption efforts, it's that they may prod Internet companies -- from email services to websites -- to beef up their encryption technology to make the government's job more difficult.
"They've been embarrassed," said Evan Hendricks, publisher of the Washington, D.C. area-based newsletter Privacy Times. "They made these representations that your email is private, and now it turns out that it isn't. So their scrambling to cover up."
Soghoian says that too many Internet companies have been using older, obsolete encryption technology, because the patents covering those programs have expired, making them cheaper than more up-to-date programs.
"What many websites are using today is not as good as it should be," he said. "But as a consequence of these articles being published about the NSA, people in the security industry will be pushing for a more rapid upgrade of encryption algorithms."
One company that's already in the process of strengthening its privacy protections is search and email giant Google, which is encrypting the information that flows between its global data centers.
"The security of our users' data is a top priority,' a Google spokesman wrote in an email. "We do not provide any government, including the U.S. government, with access to our systems. As for recent reports that the U.S. government has found ways to circumvent our security systems, we have no evidence of any such thing ever occurring."