Crucial Unanswered Questions about the NSA's BULLRUN Program
As we work hard to promote encryption on the web through tools like our browser extension HTTPS Everywhere, we also pay close attention to attacks that undermine the security of that encryption. That's why we were dismayed by last Thursday's revelations about the National Security Agency's aggressive efforts to undermine the ability of citizens to communicate securely. It's not surprising that the NSA would try to break cryptographic systems in whatever way they can, but the deeply pernicious nature of this campaign—undermining national standards and sabotaging hardware and software—as well as the amount of overt private sector cooperation are both shocking.
These leaks should not lead us to privacy nihilism – while we cannot be certain about the NSA's capabilities, we have good reason to believe that the mathematical underpinnings of crypto systems in widespread use remain strong. We are safer when communicating with encryption and anonymity tools. This is especially true for open source tools that are developed in public view and provide a higher level of auditability than closed tools. Even if the NSA and other major spying powers like the United Kingdom, China, and Russia have advanced attacks and backdoors, strong encryption can make their spying more difficult while protecting against less sophisticated adversaries.
And while it is important not to despair, a thorough examination of the available information from the NSA is in order, both so that we can bolster our defenses against these attacks on our communications infrastructure, and so that we can have an open democratic debate about what tactics are appropriate for the NSA to use. Unfortunately, while last Thursday's articles and documents about the BULLRUN program paint a picture of spy agencies working hard on a variety of fronts in order to undermine our ability to communicate securely, these broad brush strokes leave many key questions unanswered.
Does the NSA hold the private SSL encryption keys of major communication service providers like Facebook, Google, and Microsoft?
We've recently been worried about the privacy of keys that are supposed to be in the hands of service providers and no one else. A very large fraction of the world's online communications flow through a handful of service providers, and in turn a handful of private keys used by those providers serve as a gateway to the communications of billions of people. It is therefore critical to know whether or not the NSA has these private keys, since that would mean the agency has unfettered access to a huge swath of the world's online communications.1
The New York Times reports that the agency has a database of encryption keys for “specific commercial products.” It is not clear whether these products include online communication services, but there are strong hints that many such services have been compromised. According to the Times, by 2012, the GCHQ – the British equivalent of the NSA – had developed “new access opportunities” into Google's systems. The Guardian has also reported that Microsoft has worked with the NSA to get “pre-encryption stage access” to email on outlook.com, including Hotmail. Given the magnitude of spying that could occur with private key access to major service providers, this is a critical question and Internet users deserve an answer to be able to choose what communication platforms to use.
What methods does the NSA use to obtain private encryption keys?
The Times says that how keys are acquired is “shrouded in secrecy,” but speculates that many are likely collected by hacking into companies' servers. Having concrete evidence of these attacks would have important legal and technical ramifications, and we hope that this information comes to light, both so that companies have the opportunity to improve the security of their servers and so the American public can take part in a transparent debate about what targets and methods are appropriate for the NSA to pursue.
What hardware has the NSA backdoored?
The New York Times reports that, in addition to partnering with telecommunications providers and other companies, including Microsoft, the NSA had “found ways inside some of the encryption chips, either by working with chipmakers to insert back doors or by surreptitiously exploiting existing security flaws.” This means that there is probably a lot of hardware floating around that the NSA knows to be insecure, leaving many individuals and companies likely vulnerable to a host of attackers. As we've explained before, back doors fundamentally undermine everybody's security, not just that of bad guys. We need to know what hardware is affected so that these vulnerabilities can be fixed. This is especially critical now that these leaks have come out, since malicious attackers now have been tipped off that back doors exist, and so it is even more likely that exploitable vulnerabilities will be discovered by parties other than the NSA, if they have not been already.
What power does the NSA have over companies to get them to cooperate? How often do companies cooperate, and what happens when they say “no”?
We need to know if and how the NSA uses the legal system to compel company cooperation with requests for back doors. While FISA may allow the government to seek technical assistance from telecoms, there is nothing in the law to require the addition of backdoors to secure communications products, either in software or in hardware. Indeed, when the government attempted to legally require encryption backdoors with the Clipper Chip, EFF and others fought back and defeated the proposal. If the NSA thinks it has this authority, it has to come forward and explain the basis.
We also need to know how often this cooperation occurs and on what scale. For example, the New York Times reports that in one case, “after the government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped.” Are these sorts of agreements common? Are the companies pressured, enticed, or is the cooperation voluntary?
The NSA needs to come clean about the scope of its capabilities and relationships with companies. President Obama has said that new public disclosures about the NSA constitute only bits and pieces of a larger story, and that to have an open and democratic debate we should "put the whole elephant out there." Unfortunately, this purported concession of more transparency has not been borne out, as we have seen continued unwillingness on the part of the Intelligence Community or the President to reveal or confirm enough information to have a truly informed debate.
The lack of openess around these clandestine programs has become a liability for America. The Director of National Intelligence James Clapper claimed last week that these leaks have harmed America's efforts to thwart terrorists by revealing "specific techniques we are using to try to intercept their communications." This is the tired and empty rhetoric of fear that we've seen again and again. Nobody is suggesting that particular investigations or individual spying efforts must be revealed. But while any terrorist with half a brain has already stopped using Facebook, millions of people may stop using American-based social networks, email providers, or hardware if they believe them to be insecure. That's why we need more details, not fewer, to better understand the scope and contours of these spying programs, and to have an open democratic debate about what methods the NSA should use to accomplish its mission.
- 1. Companies that use Perfect Forward Secrecy (PFS) by default enjoy some protection against widespread passive surveillance, and companies should enable this technology right away in light of these revelations. However, though PFS helps to protect against passive surveillance, if the NSA has access to the long-term private key of a service provider, then the agency is still able to read any user's communications by launching a "man in the middle" attack against the ephemeral key exchange that occurs within a cipher that supports PFS. Right now, there is no obvious way that the service provider or an end user could detect such an attack.