Encryption cracked by US and UK surveillance experts

Out-Law News | 06 Sep 2013 | 2:36 pm | 2 min. read

US and UK intelligence officials have found ways to access communications encrypted by technology companies, according to new information disclosed by the whistleblower Edward Snowden.

According to one of the leaked documents, details of which have been published by the Guardian newspaper, the New York Times and ProPublica, the National Security Agency (NSA) in the US have developed a program codenamed 'Bullrun' which can "defeat the encryption used in specific network communication technologies". The NSA spends $254.9 million on the Bullrun operation annually, the documents reveal.

"For the past decade, NSA has lead [sic] an aggressive, multi-pronged effort to break widely used internet encryption technologies," a 2010 document formed by UK intelligence body GCHQ said, according to the Guardian's report. "Vast amounts of encrypted internet data which have up till now been discarded are now exploitable."

HTTPS, VOIP and SSL protocols, which are typically deployed to protect the privacy of online communications, are all subject to decryption by the NSA's program, it said.

According to the leaked information, Bullrun "actively engages US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs". Businesses that submit new encryption technology they have developed to the NSA's Commercial Solutions Centre in an effort to improve US cyber security have their technology modified "to make them exploitable", the documents state, according to the Guardian's report.

The NSA also "obtains cryptographic details of commercial cryptographic information security systems through industry relationships". It secretly managed to become "sole editor" of a security standard approved by the US National Institute of Standards and Technology in 2006, the report said.

GCHQ was actively seeking to understand how to access communications from systems used by Facebook, Google, Microsoft and Yahoo, according to one of the documents. It had found "new access opportunities" in relation to Google's systems by 2012, the documents said, according to the New York Times' report, although Google said that there was no evidence that its systems have been breached.

An internal GCHQ document stressed the importance of keeping the decryption capabilities secret from both businesses and the public, according to the Guardian's report.

"Loss of confidence in our ability to adhere to confidentiality agreements would lead to loss of access to proprietary information that can save time when developing new capability," the document said, according to the report. "Knowledge that GCHQ exploits these products and the scale of our capability would raise public awareness generating unwelcome publicity for us and our political masters."

The Guardian said that it, along with the New York Times and ProPublica, had been asked not to publish the article by intelligence officials. The publications omitted some details from their reports after the officials claimed that publishing details of the decryption capabilities could encourage surveillance targets to switch the way in which they communicate to avoid their activities being tracked.

Edward Snowden previously worked for the NSA. Earlier this summer he disclosed to the Guardian details of a computer program called 'Prism' that, according to the leaked documents, enables NSA officials to collect data "directly from the servers" of a number of major technology companies.

Amidst uproar from privacy groups, US government and intelligence officials have claimed that data is accessed in line with the US' Foreign Intelligence Surveillance Act (FISA).

FISA sets out the procedures that US intelligence agencies have to follow in order to gather foreign intelligence information about foreign based individuals for the purposes of protecting against attacks on the US, such as terrorism. Under the regime intelligence agencies require a court to sanction the acquisition of data, although privacy groups have challenged the thoroughness of the procedure.