Thanks to Edward Snowden’s revelations, attention has been drawn to the NSA’s espionage. Alongside this monitoring, the intelligence services also direct attacks on Internet security itself. These attacks jeopardize the security of dissident activists and the diverse tools they use in order to protect their identities.
During these past nine months we have learned more about what goes on behind the doors of the NSA than we have learned during the agency’s previous sixty years of existence. One by one, its creatively named programs have been pulled into the light: PRISM, XKeyscore, and Muscular. Most of the attention has been on pure surveillance—information as to how the NSA can snoop around our e-mails, or tap in on Angela Merkel’s cell phone.
The NSA seems to be governed by two main policies. One is the possibility of probing its digital tentacles far into the Internet companies’ and telephone operators’ systems, and to pluck out information at will. This is possible not only because the NSA has access to important computer centers and hubs on the Web, but also as a result of direct and active hacking procedures. NSA technicians or their allied technicians attack the systems using the same methods used by criminal gangs in search of Internet banks or company secrets. Last autumn one such example of direct hacking was the revelation by Der Spiegel that NSA’s British counterpart, GCHQ, had hacked the partly Government-owned Belgium telecom operator Belgacom.
To phrase it drastically: the other NSA policy seems to be to sabotage Internet security. Amazingly, the NSA covertly collaborates with software companies in order to make it easier to circumvent the companies’ security systems. This may sound absurd but the leaked documents published by the Guardian inform us that the intelligence agency “actively engages US and foreign IT industries to covertly influence…their commercial products’ designs,” partly by managing to “insert vulnerabilities into commercial encryption systems.”
This information confirms that the NSA imports security vulnerabilities into systems that are used to protect sensitive communication. These are called “back doors” and function as such: they are short cuts into computers and systems for those who know where to look for them. If your ordinary work computer has a back door, the person who has placed it there can login and read your files. If the back door has been placed with a big Internet operator the consequences can be hazardous—then it becomes possible to tap in on Internet traffic.
A scenario emerges of an omnipresent and pre-installed destruction of all kinds of security. The NSA must, as far as possible, maintain that encryption and security measures are of sufficiently bad quality so that intelligence officers can decode and circumvent them when they feel the need.
The idea is, of course, that only the NSA should be able to use these back doors. The problem is that no such guarantee can be given. No one can promise that Chinese or Iranian intelligence agencies will not find the same security lapses. Or that criminal gangs, political groups, or anyone interested in eavesdropping on their adversaries, will use them. The NSA is playing with high stakes, indeed.
The project is huge, to say the least, with an annual budget of more than 250 million dollars—something that has been revealed in leaked documents. However, very little is known regarding which companies are involved in the secret collaboration.
The methods of undermining Internet security can risk even more hazardous consequences than the actual eavesdropping of the government. Of course, the NSA is known as the most knowledgeable intelligence service with the best resources for digital interception, but other countries are quickly developing their own capabilities. China, for example, according to Amnesty International’s estimation, is believed to have 30-50,000 policemen employed just to work in Internet censorship.
It all becomes even more worrying the more oppositional groups within dictatorships set their trust in technical barriers and encryption in order to protect their own communication. There are many such examples.
Tor is a network that helps people use the web anonymously. By encrypting digital traffic and allowing it to bounce around on the Internet in a complex structure before it reaches its recipient, it becomes impossible to determine who the sender is. A film clip from one country can be downloaded in another country via Tor, rendering the receiving country’s government paralyzed and incapable of discovering the origin of the clip. On top of this, Tor helps people in countries with harsh censorship practices to circumvent these barriers— for example, China’s massive block, the “Great Firewall of China.”
During the 2009 protests in Iran—the so-called “Green Revolution”—the use of Tor escalated ten times during the first weeks of the protests. Through its anonymous connections, it became possible not only to send pictures, films, and text from the country, but also to read foreign reports about what was going on in the streets of Tehran. Still today, Tor is perhaps the best example of how technology can be used to enhance the freedom of speech and to create possible avenues of communication in repressive states. Nevertheless, Tor finds itself in the NSA’s viewfinder. The fact that the agency has created several reports and has extensively studied this anonymizing network can in itself be seen as evidence of its success. “We will never be able to de-anonymize all Tor users all the time,” writes NSA in a leaked document, “but with manual analysis we can de-anonymize a very small fraction.”[1]
The NSA’s focus on Tor includes research on how the system can be attacked.[2] Several strategies are brought forward ranging from ways to outsmart the anonymity function to ways to make the Internet slower and thereby less attractive. Since the basic anonymization function has not been cracked, the NSA is instead working to find ways of identifying particular Tor users and to target their computers. This is a dream scenario for an intelligence agency whose target (by this method) is covering up her traces on the web—whether the agency is in Washington, DC or in Beijing. Even during the Arab Spring, activists used Tor to communicate with one another and with the world.
The attempts to destroy Tor show the American government’s ambivalent attitude to the technology. In actual fact, Tor was to a great extent developed by means of government funding. The American Department of Foreign Affairs has both contributed money to development work (even Swedish SIDA has given financial support) and contributed to the education of Syrian rebels in order to teach them digital communication that circumvents the control of the Assad regime.[3] A few years ago the US set aside 57 million dollars for anonymization aid for people in conflict areas and living under dictatorships. Ironically, this happens while another section of the government works hard trying to crack the very same network.
As far as is known, Tor’s creators, among them many volunteers that contribute on a non-profit basis, have—by the NSA’s request—not deliberately weakened their security standards. But private companies have. Which companies that have bedded with the NSA is not apparent from the leaked documents—the information is protected by a stricter security grade than the one Edward Snowden had. But a few cases have been drawn to light. RSA is one of the world’s most important companies dealing with encryption and security. It has recently been revealed that RSA accepted ten million dollars from the NSA and in exchange, the company agreed to use encryption with known drawbacks that in practice made it easier to crack.
Historically, the actions of the NSA are not surprising. For decades, the US has deemed encryption a powerful tool not only to be utilized, but also to be studied in order to protect the country from enemies who understand the inner workings of the system. The NSA’s mission has always been partly to protect the US’s own secrets and partly to reveal the secrets of others. Previously, this was achieved by way of trade barriers; encryption methods were classified as weapons, therefore export was prohibited. As late as the 1990s, Phil Zimmerman, programmer and activist, was charged for exporting forbidden encryption devices. The program that he created is called PGP and is today the most popular method used to encrypt e-mail. (Five years later the charge against him was withdrawn. The episode is known as The Crypto Wars).
However, the Internet undermined all control of encryption exports. It was simply not possible to regulate the spread of technology and who had access to it. In this perspective, one can see the effort of the NSA to generally weaken security—if everyone has access to the same mechanisms, then they ought to have big enough lapses to let the NSA tune in.
Thanks to its central role in the world of international security, the NSA can reach even farther than merely affecting specific security products. The agency has (or at least ‘had’—before the Snowden leaks) a great deal of influence over encryption standards (a kind of basic set of rules that commercial companies abide by when they develop digital security devices). Leaked documents reveal that the NSA is influencing these standards in a direction that benefits them and this means bad security that is easier to circumvent. These revelations affect almost all who use the Web. Standards like these are used to encrypt bank transactions as well as hard discs and sensitive correspondence. Consequently, in the wake of this revelation, some standards have been withdrawn and the work needed to scrutinize more standards in the pursuit of back doors is in full progress.
The movement that works to advance free information exchange takes on many forms. In connection with the Green Revolution in Iran, Western activists worked to supply Iranians the tools to enable free communication. Adherents to Falun Gong in the West have developed the program Ultrasurf to enable Chinese followers the ability to find information beyond the country’s national Firewall. In January 2011 when Egypt closed down the whole country’s Internet connection in order to stave off the opposition, activists shared telephone numbers that made it possible to send pictures and text via old-fashioned modems.
Every attempt to protect dissidents’ communication basically rests on technology; it rests on encryption that makes it impossible to trace the sender or to read the content of correspondence. The fact that the NSA spends hundreds of millions of dollars in order to weaken the scope of encryption devices is just as disturbing as the espionage we have heard about in these past few months.
[1] http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document
[2] http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity