Encryption and the Spymasters: Is Privacy Dead?

Submitted by Charlton Stanley (aka Otteray Scribe) Guest Blogger

ImageImageFirst there was WikiLeaks, then there was Edward Snowden. The drip, drip, drip of information about secretive spy agencies continues. There have been bombshell revelations about the extent to which government agencies like the FBI, CIA, NSA and others are invading our most private communications. Of course, spies do what spies do, and that is to spy on whoever or whatever they can get away with. Few people understood the implications of PRISM when news of the program was leaked. Additionally, I suspect that despite revelations of its existence, the full extent of its capability and reach will never be known by the public.

The NSA reportedly paid tech companies millions of dollars to cover the cost of compliance with their “requests” for back-door access to the software package.

Another program to keep in mind is the FBI Stingray operation that sucks up wireless telephone communications. Last May, in the first litigation where the government admitted having Stingray, Arizona Federal District Judge David Campbell dismissed a motion to suppress.  Judge Campbell is a George W. Bush appointee. PDF of his ruling is here.  Last July, the ACLU filed a Freedom of Information Act lawsuit in the Northern District of California, in an effort to learn more about Stingray, and if it is scooping up domestic phone calls.

If you are a government employee, this is the time to cover your eyes. Washington Post writer Josh Hicks reports:

“The Department of Homeland Security has warned its employees that the government may penalize them for opening a Washington Post article containing a classified slide that shows how the National Security Agency eavesdrops on international communications.

An internal memo from DHS headquarters told workers on Friday that viewing the document from an “unclassified government workstation” could lead to administrative or legal action. “You may be violating your non-disclosure agreement in which you sign that you will protect classified national security information,” the communication said.”

Let’s see if I have this straight. The DHS, those wizards who are supposed to protect us from sneaky dangerous people, threatens their employees with possible criminal charges or other penalties for looking at pictures published in the newspaper or on a blog? Doesn’t everyone feel a lot safer now?

Some of the latest leaks center around a 41-slide PowerPoint presentation alleged to have come from the NSA. One slide in particular references FAA702. This refers to §702 of the FISA Amendments Act (50 USC § 1881a). I am not going to try to explain the slide here, but there are explanations at this link and this link.  At any rate, here is the slide that was leaked.

Image

Which brings us to a discussion of internet security and the security of all our internet activities, including personal, business and financial information. Some of us are required to use encryption as part of our day to day operations. For example, HIPAA requires all files containing patient data be encrypted with an encryption program that meets specific HIPAA guidelines. Non-compliance with HIPAA guidelines can have draconian consequences for any health care service caught in an audit, with both monetary and criminal penalties. Earlier this year, WellPoint was hit with a $1.3 million dollar fine. Cignet fared much worse with a $4.3 million fine. Most health care providers use proprietary software they purchase from vendors, which include some of the biggest names in software.

If there is a secret agreement between proprietary encryption software and the NSA, and a user is obligated to keep data secure, then the legal question becomes one of “knew or should have known.” If we now have reason to believe unknown people at various government agencies can rummage around our computers and digital devices at will, we have a problem. Let’s assume no one reading this is up to no good, but simply conducting day-to-day business as usual. However, file data are sensitive and if it gets into the wrong hands, there could be problems. Hypothetically, let’s say some government employee running a routine scan stumbles across a marriage counselor’s file and discovers his or her spouse is having a torrid affair…with the best friend, the mayor, the parish priest or even their own boss. Then goes home and confronts spouse. Spouse sues the counselor. What then?

We have all seen those ads on the big search engines. If you looked on eBay or Amazon for a widget yesterday, when you opened Google this morning, you see ads for widgets. The big search engines keep track of your browsing habits. That enables them to target you for ads. It also lets you know they are keeping records on you. Those records are subject to both subpoena and data mining by spy software such as PRISM. This has been a boon to the smaller but smarter search engine DuckDuckGo. They do not keep records, and as soon as you close the browser, the search is gone. If subpoenaed, DuckDuckGo has nothing to cough up.

If one suspects proprietary closed-source encryption software is compromised, what to do? There are several solutions. First of all, look at open-source freeware. There are several good freeware encryption programs. Lifehacker has a review of the five top open-source programs. The top-rated one is TrueCrypt. Edward Snowden is said to have used TrueCrypt on the files he took with him. The advantage of open-source is that it is open source. That means it is unlikely to have secret files in it because they would be soon discovered. Open source software is in a constant state of development by experts all over the world. Do spy agencies try to insert malware into it? It is safe to assume they probably try. However, there are many eyes watching, and if something suddenly appeared in the source code that is not supposed to be there, it would be discovered quickly. Security expert and software engineer Bruce Schneier, writing in The Guardian, has a list of five basic things one can do to keep files safe. Here are two of the five suggestions:

 3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn’t. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it’s pretty good.

4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It’s prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.

The full article by Bruce Schneier is here.

Last Tuesday, the ACLU filed a lawsuit in the US District Court in New York, alleging the National Security Agency’s (NSA) surveillance of vast numbers of Verizon customers is unconstitutional. PDF of the filing is at this link.

Lest they forget, here is a reminder:

Amendment IV

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

 

36 thoughts on “Encryption and the Spymasters: Is Privacy Dead?”

  1. One example could be the Kaspersky anti-virus which is currently featured as the must-download
    software. For example: open within your browser and appearance for anything (Twilight as an example).
    Marc Cuban has evolved a whole new movie theatre model like those that are springing up across the country.

  2. When I CHOSE to come to the USA, as a mature (well, by age, at least) adult, I made a carefully considered judgement. One that said that the social system I was intending to live under for the rest of my days was based on a written and tested Constitutional framework – including the Fourth Amendment. Now I find that someone sold me short – who do I sue?

  3. Does anyone here really believe that the agencies of the US Government have no idea who’s purchased a gun, and received health care, and/or pharmaceuticals for a medical condition.
    Possibly a mental health condition?

    Oh wait… no. That couldn’t happen. The FBI must delete the search results within a given timeframe. There’s patient privacy laws, security practices (such as PCI compliance) requiring data protection of both medical and financial transactions.
    *cough*

  4. You’re suppose to spy…. You’re supposed to give it your best efforts… You’re supposed to use all resources available…. I get it….

    Now, if the WoPo has information that could help you do your job…. You can be sanctioned…. Hmmmmmm…. Maybe the WaPo has something that can back track users….

    Didn’t the amazon king just by it……

  5. Let’s hope the status quo doesn’t get re-elected in the next two federal elections or big brother will be the norm and will be difficult to retract.

    As for gov’t employees being spied on by the gov’t, everyone will be spied on, just like a den of thieves forming every unholy alliance they can one moment and then stabbing each other in the back when it suits them.

    I remember the clipper chip dabacle when it came out. The computer industry in the US was proclaiming, most likely accurately, it would have doomed the industry because someone somewhere else in the world would have manufactured computers without the chip that no consumer would buy a computer containing one.

    Pragmatically, the hacktivist community would have reverse engineered the chip within a couple months and published a bridge or workaround to disable it.

    But now the gov’t is less responsive and more determined to do whatever it wants regardless of the oversight or the law with regard to spying on law abiding citizens. Sorry folks, but I think it is going to get much worse before it gets better.

  6. Thanks for the article OS!

    From the Sept. 5th NY Times article about the NSA:

    “Paul Kocher, a leading cryptographer who helped design the SSL protocol, recalled how the N.S.A. lost the heated national debate in the 1990s about inserting into all encryption a government back door called the Clipper Chip.”
    http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=1&_r=0&ref=general&src=mv

    I clicked on the second page Clipper Chip link and was totally speechless:

    excerpt:

    Nonetheless, on Feb. 4 the White House announced its approval of the Clipper chip, which had been under study as a Government standard since last April, and the Crypto War broke out in full force. Within a month, one civil liberties group, Computer Professionals for Social Responsibility, received 47,000 electronic missives urging a stop to Clipper. “The war is upon us,” wrote Tim May, co-founder of the Cypherpunks, in an urgent electronic dispatch soon after the announcement. “Clinton and Gore folks have shown themselves to be enthusiastic supporters of Big Brother.”
    http://www.nytimes.com/1994/06/12/magazine/battle-of-the-clipper-chip.html

Comments are closed.