Internet giants voice concern over NSA, GCHQ circumvention of encryption

Internet giants voice concern over NSA, GCHQ circumvention of encryption

Microsoft, Yahoo, and Google expressed unease Friday about the National Security Agency’s ability to bypass online security systems that protect the privacy of internet users.

Yahoo said in a statement that if such an effort by the NSA and its British counterpart GCHQ to compromise encryption privacy protections used online exists, “it offers substantial potential for abuse.” Microsoft and Google also both signaled concern and an unawareness of the intelligence agencies’ encryption-thwarting methods.

The New York Times, the Guardian, and ProPublica published Thursday information obtained from Edward Snowden outlining how the agencies have circumvented the encryption methods used to secure emails, chats, and essentially most internet traffic that was previously thought to be protected. In addition, a GCHQ team has worked to infiltrate encrypted traffic on the “big four” service providers: Google, Yahoo, Microsoft’s Hotmail (now known as Outlook), and Facebook.

“We are unaware of and do not participate in such an effort,” a Yahoo spokesman said Friday. “Yahoo zealously defends our users’ privacy and responds to government requests for data only after considering every applicable objection and in accordance with the law.”

A Microsoft spokesperson said, “We have significant concerns about the allegations of government activity reported yesterday and will be pressing the government for an explanation.”

Microsoft and Google are currently teaming up on a lawsuit against the US government for the right to reveal more information about official requests for customer data by American intelligence. The companies are set to file legal briefs in the case on Monday.

As for the encryption revelations, a spokesman for Google said, “The security of our users’ data is a top priority. We do not provide any government, including the US government, with access to our systems. As for recent reports that the US government has found ways to circumvent our security systems, we have no evidence of any such thing ever occurring. We provide user data to governments only in accordance with the law.”

Google is ramping up its efforts to encrypt all information passing through its system, The Washington Post reported late Friday. The effort was started last year but was accelerated in June when it was revealed via Snowden’s leaks that Google and other companies are legally compelled to share data with the NSA through its PRISM program.

Google did not comment on how much the initiative will cost, nor did they offer clues as to the scope of the project or what exact technology will be used. The effort is expected to be completed soon, months ahead of schedule.

The Post said that other companies – including Microsoft, Apple, and Facebook – are now using more encryption for some of their services, at varying levels of sophistication.

On Friday, Yahoo shared its first transparency report with the public, citing what it could about government requests made to the company.

“Our legal department demands that government data requests be made through lawful means and for lawful purposes,” Ron Bell, Yahoo’s general counsel, wrote Friday. “We regularly push back against improper requests for user data, including fighting requests that are unclear, improper, overbroad or unlawful. In addition, we mounted a two-year legal challenge to the 2008 amendments to the Foreign Intelligence Surveillance Act and recently won a motion requiring the US government to consider further declassifying court documents from that case.”

Reacting to the encryption stories, the office of the director of national intelligence (ODNI) said Friday that it should “hardly be surprising that our intelligence agencies seek ways to counteract our adversaries’ use of encryption.”

The ODNI, which heads US intelligence-gathering efforts, said in a statement “the fact that NSA’s mission includes deciphering enciphered communications is not a secret, and is not news,” but went on to warn that the revelations may cause harm to national security.

“The stories published yesterday, however, reveal specific and classified details about how we conduct this critical intelligence activity,” ODNI said. “Anything that yesterday’s disclosures add to the ongoing public debate is outweighed by the road map they give to our adversaries about the specific techniques we are using to try to intercept their communications in our attempts to keep America and our allies safe and to provide our leaders with the information they need to make difficult and critical national security decisions.”

Tor anonymity network could be ‘easily compromised,’ researcher says

Tor anonymity network could be ‘easily compromised,’ researcher says

Following revelations of mass online surveillance and encryption backdoors installed by the National Security Agency, some users have flocked to the Tor router service – although experts warn that it may not be as secure as once thought.

Tor, short for “The Onion Router,” has experienced a major uptick in subscribers since former NSA contractor Edward Snowden leaked details about the US government’s vast internet surveillance programs.

The service – which for years accepted funding from US government entities – has doubled its customer base, thanks to a growing number of people who wish to conceal their online communication, search queries, and home location from the government.

The most recent Snowden leak, which disclosed that the NSA uses backdoors to crack web encryption, may have alarmed Tor users by revealing that US and British intelligence agencies have also targeted the very anonymity services that Tor counts itself among. The NSA has allegedly spent hundreds of millions of dollars annually to “covertly influence” tech companies, and even planted undercover agents within major corporations.  

Unfortunately for the thousands of people who rely on Tor, many of the devices they use to connect to its servers could still be infiltrated by the NSA. This is partly due to only 10 percent of Tor servers using its latest iteration which boasts stronger cryptography.

Rob Graham, the CEO of penetration testing firm Errata Security, told Ars Technica that he ran a “hostile” exit node on Tor and found that 76 percent of the nearly 23,000 connections he tracked used a form of the 1024-bit Diffie-Hellman key.

The NSA’s exact capabilities have yet to be made public, but most security experts assume the agency could easily crack the key Graham observed.

Everyone seems to agree that if anything, the NSA can break 1024 RSA/DH keys,” Graham wrote in a blog post. “Assuming no ‘breakthroughs,’ the NSA can spend $1 billion on custom chips that can break such a key in a few hours. We know the NSA builds custom chips, they’ve got fairly public deals with IBM foundries to build chips.”

He also advised users to take responsibility for themselves by consistently updating their Tor software package and thoroughly reading through NSA documents that have been made public.

Of course, this is just guessing about the NSA’s capabilities,” Graham continued. “As it turns out, the newer elliptical keys may turn out to be relatively easier to crack than people thought, meaning that older software may in fact be more secure.”

It has been made public that the Department of Defense provided Tor with $876,099 in 2012 – a sum large enough to make up 40 percent of the project’s $2 million budget. Other government donors included the US State Department and the National Science Foundation.

Though the NSA itself is housed under the Department of Defense, Tor’s executive director Andrew Lewman has said that the intelligence agency has not requested a backdoor into the system.

The parts of the US and Swedish governments that fund us through contracts want to see strong privacy and anonymity exist on the Internet in the future,” Lewman explain in an email to customers, as quoted by The Washington Post. “Don’t assume that ‘the government’ is one coherent entity with one mindset.”