The Guardian, the New York Times, and ProPublica today simultaneously published bombshell stories about the NSA's massive decryption efforts. Find links to all the stories and documents here.
Computer expert and privacy advocate Bruce Schneier, who helped Guardian reporters understand the documents, which were given to the paper by Edward Snowden, summed up the story nicely:
What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it's in. Period.
If the NSA wants to target you, good luck. You probably can't stop it. Where does that leave us, given that we know the government has a history of spying on people who are doing no wrong?
The government and its defenders never tire of repeating the refrain: "We must do this to protect you from terrorists. We don't spy on ordinary people. We are simply keeping you safe." And indeed, the NSA's official mission is to conduct foreign intelligence operations. But is that what the NSA does today?
One document released today, which describes the agency's decryption efforts, should put to rest the claim that the NSA is principally interested in foreign surveillance.
The Guardian reports:
The NSA's codeword for its decryption program, Bullrun, is taken from a major battle of the American civil war. Its British counterpart, Edgehill, is named after the first major engagement of the English civil war, more than 200 years earlier.A classification guide for NSA employees and contractors on Bullrun outlines in broad terms its goals."Project Bullrun deals with NSA's abilities to defeat the encryption used in specific network communication technologies. Bullrun involves multiple sources, all of which are extremely sensitive." The document reveals that the agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.
The document also shows that the NSA's Commercial Solutions Center, ostensibly the body through which technology companies can have their security products assessed and presented to prospective government buyers, has another, more clandestine role.It is used by the NSA to "to leverage sensitive, co-operative relationships with specific industry partners" to insert vulnerabilities into security products. Operatives were warned that this information must be kept top secret "at a minimum".A more general NSA classification guide reveals more detail on the agency's deep partnerships with industry, and its ability to modify products. It cautions analysts that two facts must remain top secret: that NSA makes modifications to commercial encryption software and devices "to make them exploitable", and that NSA "obtains cryptographic details of commercial cryptographic information security systems through industry relationships".
- How Encryption Works (Guardian)
- The US Has Betrayed the Internet; We Need to Take it Back (Guardian)
- US and UK Spy Agencies Defeat Privacy and Security on the Internet (Guardian)
- Revealed: The NSA’s Secret Campaign to Crack, Undermine Internet Security (ProPublica, NYTimes)
- NSA Foils Much Internet Encryption (NYTimes)
- Graphic: Unlocking Private Communications (NYTimes)
- Editor's Note: Why We Published the Decryption Story (ProPublica)
- Project Bullrun (Guardian)
- NSA: Classification Guide for Cryptanalysis (Guardian)
- SIGINT: How the NSA Collaborates with Technology Companies (Guardian)