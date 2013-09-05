By Joseph Menn
| SAN FRANCISCO, Sept 5
SAN FRANCISCO, Sept 5 The U.S. National Security
Agency has secretly developed the ability to crack or circumvent
commonplace Internet encryption used to protect everything from
email to financial transactions, according to media reports
citing documents obtained by former NSA contractor Edward
Snowden.
The Guardian, The New York Times and journalistic nonprofit
ProPublica reported on Thursday that the U.S. intelligence
agency used a variety of means, ranging from the insertion of
"back doors" in popular tech products and services, to
supercomputers, secret court orders and the manipulation of
international processes for setting encryption standards.
The publications said the NSA and its British partner
Government Communications Headquarters (GCHQ) reported making
strides against Secure Sockets Layer technology, which protects
millions of websites beginning in "Https," and virtual private
networks, which are common for remote office workers and for
people seeking to obscure their locations.
Privacy advocates have succeeded in convincing Google Inc
, Facebook Inc and other popular service
providers to turn on SSL for all of their users, but the new
disclosures suggest that the effort could be futile against the
NSA.
The Times and ProPublica cited an intelligence document
saying the NSA spends more than $250 million a year on its
"Sigint Enabling Project," which "actively engages the U.S. and
foreign IT industries to covertly influence and/or overtly
leverage their commercial products' designs" to make them
"exploitable."
It is unclear from the articles how often technology
companies voluntarily agreed to allow covert access to their
offerings through back doors and how often the NSA compelled
them to do so through secret court orders.
The New York Times and ProPublica said they were asked not
to publish their findings by intelligence officials who argued
that their foreign targets might switch to newer forms of
encryption or communications if the NSA tactics were revealed.
"Some specific facts" were removed, the New York Times said.
The articles do not say which mainstream encryption systems have
been effectively broken.
The undertaking, codenamed Bullrun, followed the abandonment
in 1990s of a U.S. effort to force back doors into services
through what was called the Clipper Chip.
Back doors in software or hardware allow for access that is
typically unseen by the user.
Because the NSA has great expertise and is charged with
protecting U.S. assets as well as spying electronically, it has
been a frequent contributor to public processes for choosing
security techniques. That could now come to a halt.
The disclosure that the NSA succeeded in subverting some
unspecified processes for setting security standards is likely
to enrage those who were willing to allow the defensive experts
from the agency to participate in vetting proposals.
Previous disclosures by Snowden included an order from the
Foreign Intelligence Surveillance Court, which meets in secret,
compelling phone company Verizon Communications Inc to
turn over all records showing which U.S. numbers called which.
A small seller of encrypted email services that Snowden
used, Lavabit LLC, shut down last month rather than comply with
secret order that it said would impact all of its users.
"Without Congressional action or a strong judicial
precedent, I would strongly recommend against anyone trusting
their private data to a company with physical ties to the United
States," owner Ladar Levison wrote at the time.
Since then, some privacy activists gave pointed to language
in the amended Foreign Intelligence Surveillance Act that
requires recipients of U.S. demands to "immediately provide the
government with all information, facilities, or assistance
necessary to accomplish the acquisition" of targeted
communications.
"Assistance" could be construed to include decryption, said
Caspar Bowden, a former chief policy advisor to Microsoft
. In other cases, decryption keys may be stolen. Some
cyber attacks overseas attributed to the United States have used
purloined SSL certificates to falsely authenticate malicious
software as legitimate.
Thursday's stories are the first to be produced by the
three-way partnership struck after the British government
threatened the Guardian with legal action unless it destroyed
copies of materials leaked by Snowden.
The Guardian did destroy computers in London containing the
material, but also advised senior U.K. officials that copies of
the documents had been sent to media outside Britain.
U.S. intelligence officials had no immediate comment on the
stories.