U.S. and British intelligence agencies have cracked the encryption designed to provide online privacy and security, documents leaked by former intelligence analyst Edward Snowden show.
In a clandestine, decade-long effort to defeat digital scrambling, the National Security Agency, along with its British counterpart, the Government Communications Headquarters (GCHQ), have used supercomputers to crack encryption codes through "brute force" and have inserted secret "back doors" into software with the help of technology companies, The Guardian The New York Times and ProPublica reported Thursday. The NSA has also maintained control over international encryption standards.
As the Times points out, encryption "guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world."
The American Civil Liberties Union, which has filed a federal suit challenging the government's collection of telephone communications data, called the NSA's efforts to defeat encryption "recklessly shortsighted'' and said they make the Internet less secure for all.
In a statement, the ACLU said the actions will "further erode not only the United States' reputation as a global champion of civil liberties and privacy but the economic competitiveness of its largest companies.''
"The encryption technologies that the NSA has exploited to enable its secret dragnet surveillance are the same technologies that protect our most sensitive information, including medical records, financial transactions and commercial secrets," said Christopher Soghoian, principal technologist of the ACLU's Speech, Privacy and Technology Project. "Even as the NSA demands more powers to invade our privacy in the name of cybersecurity, it is making the Internet less secure and exposing us to criminal hacking, foreign espionage, and unlawful surveillance.''
The spy agencies have focused on compromising encryption found in Secure Sockets Layer (SSL), virtual private networks (VPNs) and 4G smartphones and tablets. The NSA spent $255 million this year on the decryption program — code named Bullrun — which aims to "covertly influence" software designs and "insert vulnerabilities into commercial encryption systems" that would be known only to the agency.
The documents leaked by Snowden, who has been granted temporary asylum in Russia, do not name specific companies or encryption technologies, and refer to customers and users as "adversaries."
The NSA calls its decryption efforts the "price of admission for the U.S. to maintain unrestricted access to and use of cyberspace."
A 2010 memo describing an NSA briefing to British agents about the secret hacking said, "For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies. Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable."
The GCHQ is working to penetrate encrypted traffic on what it called the "big four" service providers — Google, Yahoo, Facebook and Microsoft's Hotmail.
One document shows that by 2012, the British agency had developed "new access opportunities" into Google's systems.
Most major tech companies did not immediately respond. In the past, they have said they cooperate with government agencies only as prescribed by law.
Google said in a statement: "We do not provide any government, including the U.S. government, with access to our systems. As for recent reports that the U.S. government has found ways to circumvent our security systems, we have no evidence of any such thing ever occurring. We provide user data to governments only in accordance with the law."
A spokesman for Microsoft, Dominic Carr, said Thursday night that "the company has significant concerns about the