A new wave of U.S. National Security Agency (NSA) document leaks show the agency wasn’t able to spy on everyone thanks to some encryption tools several programs use that successfully thwart digital espionage.
German magazine Der Spiegel reported the NSA couldn’t decipher communications such as emails and online chat messages from a handful of services that use encryption beyond the NSA’s code-cracking abilities, based on documents obtained from former NSA contractor and whistleblower Edward Snowden in 2013. Der Spiegel recently analyzed NSA documents Snowden previously released to news outlets in 2013.
“[U]biquitous encryption on the Internet is a major threat to NSA’s ability to prosecute digital-network intelligence (DNI) traffic or defeat adversary malware,” an NSA employee said in an internal training document from 2012.
Programs that used OTR or off-the-record or end-to-end encryption such as the anonymous network Tor and professional software company Zoho’s email and chat services proved to be major challenges for the NSA. The agency also reported that it couldn’t break into files using TrueCrypt, a recently decommissioned open-source, whole disk-encryption service, along with other encryption tools that kept some messages unreadable.
The NSA was stumped further if users incorporated a variety of security measures, such as using Tor to connect to the internet, CSpace to send online messages and ZRTP to make phone calls. That combination made individuals nearly invisible to the NSA, Der Spiegel reported.
But the leaked documents also revealed which services provide little privacy protections. The NSA labeled the services and files such as “trivial,” “moderate” or “catastrophic” based on how easy they were to decrypt. Hacking into Facebook chats were considered “minor,” Der Spiegel reported, while getting emails through “mail.ru,” a Moscow internet service provider was a “moderate” task.
Moreover, using a virtual private network or VPN provides minimal security. VPNs, which can be used to circumvent online government censorship and surveillance, is exploited by the NSA thanks to a team dedicated to hacking VPN connections such as the ones used by Greek government agencies.
Public concerns over government surveillance have swelled and fueled a global push for better privacy practices, including standardized encryption across the internet since last year’s Snowden revelations. The NSA released a slew of redacted documents Christmas Eve detailing how the agency and others in the intelligence community knowingly or unwittingly violated privacy laws to collect data. The document release confirms earlier reports and suspicions that the agency’s spy programs mainly collected private online communications from ordinary citizens rather than suspected terrorists.
Earlier this year, Snowden encouraged tech companies at the SXSW conference to take the lead by encrypting all of their services to combat government surveillance. Everyday citizens have heeded Snowden’s advice, increasing encryption use more than 60 percent since news of the NSA’s spy program hit in 2013. Tech companies such as WordPress, Tumblr and Google have also boosted their web security with tougher encryption measures.
International governments have also taken more precautions to prevent U.S. intelligence agencies from eavesdropping on official communications. Germany and Russia vowed earlier this year to switch to paper communications including handwritten notes and typewriters to avoid detection. Other countries have responded by beefing up their own spy programs or doubling down on American tech companies operating overseas.
Companies such as Google and Facebook have had to combat international threats to ban their services if the companies fail to adhere to strict privacy guidelines. European regulators have chastised the companies for disregarding consumer privacy, and have moved to reign in indiscriminate voracious data collection practices. Italy recently gave the company 18 months to adopt newly imposed privacy policies that would require the company to routinely purge user data and get expressed permission before tracking consumers’ internet activity for advertisements.
Facebook is awaiting a controversial European Union high court ruling that could determine whether the social network illegally let the NSA spy on European users. If the company loses, other tech companies could be face tougher privacy laws, like getting expressed permission to collect and store consumer data, if they want to do business in Europe.