The thousands of documents former National Security Agency contractor Edward J. Snowden stole from government computers earlier this year have resulted in a series of bombshell security leaks. One of the latest, in September, reveals how the NSA for several years has worked to crack the encryption technology commercial companies use to keep customers’ electronic data private. The scale of the NSA’s secret manipulation of encryption technology is so great it threatens to undermine trust in American technology companies.
It’s no surprise the agency advertising itself as “home to America’s codemakers and codebreakers” is actually breaking codes. What’s jolting is how the NSA has coerced private U.S. companies to turn over encryption keys or to insert “back doors” into computer chips—technical flaws allowing the government to intercept and decrypt emails and other communications data that might be sought in a national security investigation.
Electronic communication that is encrypted—such as an account number typed into a banking website—can only, in theory, be read by the sending and receiving computers.
According to the leaked classified documents, the NSA has worked to thwart widely used encryption methods, including “Secure Sockets Layer” and 4G smartphone and tablet encryption. Sometimes the agency gains access to emails and communications before they’re scrambled. At other times the NSA simply uses its own collection of encryption keys to unlock the code (the agency apparently obtains the keys by requesting them from security companies or by blatant hacking).
In the 1990s decoders at the NSA wanted to insert a back door called Clipper Chip into encryption standards, but public outcry at the time sunk the idea. Instead, the agency appears to have done that very thing in secret. For example, it hijacked the development of an encryption standard eventually adopted by the government-run National Institute of Standards and Technology (NIST), and used by some Microsoft Windows operating systems. Two Microsoft analysts first discovered a back door in the code in 2007.
It’s not as if companies are willingly giving the NSA access to their encryption systems. Many are unaware of the agency’s influence—or if they are, have no legal option but to go along silently.
In light of the recent leaks, some analysts wonder whether foreign firms, knowing the NSA has exploited the very codes meant to keep commercial and personal data private, will continue doing business with U.S. technology companies. Former Microsoft privacy officer Caspar Bowden thinks the economic impact is inevitable. “Industry is still in denial,” he told the Reuters news service. “It’s like Wile E. Coyote running over the cliff. His legs are still turning but he hasn’t started falling yet.”
Public outrage over surveillance is prompting transparency from unexpected quarters: In September the secret federal court responsible for approving government surveillance finally declassified its legal justification for the bulk collection of American phone call metadata. Judge Claire Eagan of the Foreign Intelligence Surveillance Court wrote that a provision of the Patriot Act gives the government authority to collect metadata—such as phone numbers and call lengths—from phone companies because it is used to identify terrorist networks. She noted no phone company has ever objected in court to handing over such information. —D.J.D.