The NSA is Making Us All Less Safe
"Computers are everywhere. They are now something we put our whole bodies into—airplanes, cars—and something we put into our bodies—pacemakers, cochlear implants. They HAVE to be trustworthy."
–EFF Fellow Cory Doctorow
Cory’s right, of course. And that’s why the recent New York Times story on the NSA’s systematic effort to weaken and sabotage commercially available encryption used by individuals and businesses around the world is so important—and not just to people who care about political organizing, journalists or whistleblowers. Thanks to additional reporting, we now know it matters deeply to companies including Brazil’s Petrobras and Belgium’s Belgacom, who are concerned about protecting their infrastructure, negotiating strategies and trade secrets. But really, it matters to all of us.
We all live in an increasingly networked world. And one of the preconditions of that world has to be basic computer security—freedom to use strong technologies that are fully trustworthy.
Every casual Internet user, whether they know it or not, uses encryption daily. It’s the “s” in https and the little lock you see in your browser—signifying a secure connection—when you purchase something online, when you’re at your bank’s website or accessing your webmail, financial records, and medical records. Cryptography security is also essential in the computers in our cars, airplanes, houses and pockets.
What is the NSA Doing to Make Us Less Safe?
By weakening encryption, the NSA allows others to more easily break it. By installing backdoors and other vulnerabilities in systems, the NSA exposes them to other malicious hackers—whether they are foreign governments or criminals. As security expert Bruce Schneier explained, “It’s sheer folly to believe that only the NSA can exploit the vulnerabilities they create.”
The New York Times presented internal NSA documents with some specifics. They are written in bureaucratese, but we have some basic translations:
- “Insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices used by targets”— Sabotage our systems by inserting backdoors and otherwise weakening them if there’s a chance that a “target” might also use them.
- "actively engages US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs" — Secretly infiltrate companies to conduct this sabotage, or work with companies to build in weaknesses to their systems, or coerce them into going along with it in secret.
- “Shape the worldwide commercial cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by NSA/CSS — Ensure that the global market only has compromised systems, so that people don’t have access to the safest technology.
- "These design changes make the systems in question exploitable through Sigint collection … with foreknowledge of the modification. To the consumer and other adversaries, however, the systems' security remains intact." — Make sure no one knows that the systems have been compromised.
- “influence policies, standards and specifications for commercial public key technologies” — Make sure that the standards that everyone relies on have vulnerabilities that are hidden from users.
Each of these alone would be terrible for security; collectively they are a nightmare. They are also a betrayal of the very public political process we went through in the 1990s to ensure that technology users had access to real security tools to keep them safe.
Crypto Wars, Part I
Ensuring your ability to have real security and privacy online was one of EFF’s earliest goals and protecting your ability to use strong encryption was one of our first victories.
In the 1990s, the Clinton administration tried several things to ensure that our technologies were not very safe, including proposing the now-infamous "Clipper Chip," which sought to compel companies insert backdoors into commercial encryption technologies and enforcing export regulations that effectively prevented the development and distribution of strong encryption.
But in the 1990s, we had a long list of supporters for strong security online, including then-Senator (later Bush Attorney General) John Ashcroft, Senator (current Secretary of State) John Kerry, the National Association of Manufacturers, the U.S. Public Policy Committee of the Association for Computer Machinery, National Computer Security Association and the American Association For The Advancement Of Science.
At the time, the Internet Architecture Board and the Internet Engineering Steering Group, the bodies that oversee architecture and standards for the Internet, put it best, stating:
[a]s more and more companies connect to the Internet, and as more and more commerce takes place there, security is becoming more and more critical. Cryptography is the most powerful single tool that users can use to secure the Internet. Knowingly making that tool weaker threatens their ability to do so, and has no proven benefit.
(emphasis added). These risks have only increased substantially over the past 15-20 years, as virtually all records, both public and private are maintained electronically and stored in networked environments.
The Clipper Chip proposal was defeated in the late 1990s and the encryption regulations were rolled back shortly thereafter. And we thought the matter was settled: the government had no business sabotaging the security of digital devices or communications.
Cryto Wars Part II, Secrets and Lies
That’s why the revelations last week were so shocking and, frankly, angering. Having lost its efforts to make us less safe in Congress, in the public debate, and in the courts, the NSA simply thumbed its nose at our democratic mechanisms and proceeded to sabotage our security anyway—in secret.
Making matters worse, the NSA put itself on the front lines of “cybersecurity” debate, ostensibly because it was concerned about computer security of ordinary people and businesses. That is supposed to be one of NSA's roles. Yet, one of the most disturbing anecdotes from the New York Times story on encryption was the NSA meeting confidentially with companies under the guise of helping with cybersecurity but then using information they gleaned to weaken systems or induce the companies to do so:
Even agency programs ostensibly intended to guard American communications are sometimes used to weaken protections. The N.S.A.’s Commercial Solutions Center, for instance, invites the makers of encryption technologies to present their products to the agency with the goal of improving American cybersecurity. But a top-secret N.S.A. document suggests that the agency’s hacking division uses that same program to develop and “leverage sensitive, cooperative relationships with specific industry partners” to insert vulnerabilities into Internet security products.
This should give any company pause. It should give Congress pause when crafting dangerous new laws, like an “information sharing” bill just proposed by Sen. Feinstein, that give the NSA new powers. And it should give all of us pause as we consider whether the NSA has become an agency that believes itself to be above the law and beyond our democratic processes.
Time for Action
Thankfully, the recent disclosures have led to at least some change. The National Institute of Standards and Technology (NIST), the government agency in charge of one of the cryptographic standards the NSA has alleged to have secretly weakened, has reopened public comment on its standard and has even gone as far as to recommend people do not use it anymore.
And we’re beginning to see the international computer security community come to grips with this disturbing news.
But we must do more.
- We must rebuild the broad coalition that fought the first crypto wars, including cryptographers, investors, businesses, developers, civil liberties groups, scientists and ordinary people.
- We must expose the vulnerabilities that have been secreted into our technologies. Then we must demand that they be fixed in a way we can confirm on an ongoing basis.
- We must ask standards bodies, companies and individual developers to pledge, publicly and unequivocally, to reject efforts to build backdoors or insert known vulnerabilities into their products—and create transparency so that they can't secretly cooperate with these efforts in the future.
- We must build our own tools, and support the tools that already exist that are independently verifiable as secure (most prominently, open source tools).
- We must support efforts in Congress to rein in the NSA and bring it back under the rule of law, and we must make sure that Congress specifically forbids the NSA from working to make our technologies less safe.
- And we must not succumb to privacy nihilism.
But the public debate must start from a fundamental principle: The NSA has been making us less safe and it must stop. Now.
Recent DeepLinks Posts
Jul 29, 2016
Jul 29, 2016
Jul 29, 2016
Jul 22, 2016
Jul 21, 2016
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Bloggers' Rights
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Electronic Frontier Alliance
- Encrypting the Web
- Export Controls
- Fair Use and Intellectual Property: Defending the Balance
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2016 Copyright Review Process
- Free Speech
- Genetic Information Privacy
- Government Hacking and Subversion of Digital Security
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Know Your Rights
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- Mobile devices
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Offline : Imprisoned Bloggers and Technologists
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- State-Sponsored Malware
- Student Privacy
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trade Agreements and Digital Rights
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- UK Investigatory Powers Bill
- Video Games