SAN FRANCISCO — The US National Security Agency has secretly developed the ability to crack or circumvent commonplace Internet encryption used to protect everything from email to financial transactions, according to media reports citing documents obtained by former NSA contractor Edward Snowden.
The Guardian, The New York Times and journalistic nonprofit ProPublica reported yesterday that the US intelligence agency used a variety of means, ranging from the insertion of “back doors” in popular tech products and services, to supercomputers, secret court orders and the manipulation of international processes for setting encryption standards.
The publications said the NSA and its British partner Government Communications Headquarters reported making strides against Secure Sockets Layer technology, which protects millions of websites beginning in “Https,” and virtual private networks, which are common for remote office workers and for people seeking to obscure their locations.
Privacy advocates have succeeded in convincing Google Inc, Facebook Inc and other popular service providers to turn on SSL for all of their users, but the new disclosures suggest that the effort could be futile against the NSA.
The Times and ProPublica cited an intelligence document saying the NSA spends more than $250 million a year on its “Sigint Enabling Project”, which “actively engages the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable”.
It is unclear from the articles how often technology companies voluntarily agreed to allow covert access to their offerings through back doors and how often the NSA compelled them to do so through secret court orders.
The New York Times and ProPublica said they were asked not to publish their findings by intelligence officials who argued that their foreign targets might switch to newer forms of encryption or communications if the NSA tactics were revealed.
“Some specific facts” were removed, the New York Times said. The articles do not say which mainstream encryption systems have been effectively broken. (Reuters)