Constitutional Law, Free Speech, International, Justice, Media, Science, Society, Uncategorized

Encryption and the Spymasters: Is Privacy Dead?

Submitted by Charlton Stanley (aka Otteray Scribe) Guest Blogger

ImageImageFirst there was WikiLeaks, then there was Edward Snowden. The drip, drip, drip of information about secretive spy agencies continues. There have been bombshell revelations about the extent to which government agencies like the FBI, CIA, NSA and others are invading our most private communications. Of course, spies do what spies do, and that is to spy on whoever or whatever they can get away with. Few people understood the implications of PRISM when news of the program was leaked. Additionally, I suspect that despite revelations of its existence, the full extent of its capability and reach will never be known by the public.

The NSA reportedly paid tech companies millions of dollars to cover the cost of compliance with their “requests” for back-door access to the software package.

Another program to keep in mind is the FBI Stingray operation that sucks up wireless telephone communications. Last May, in the first litigation where the government admitted having Stingray, Arizona Federal District Judge David Campbell dismissed a motion to suppress.  Judge Campbell is a George W. Bush appointee. PDF of his ruling is here.  Last July, the ACLU filed a Freedom of Information Act lawsuit in the Northern District of California, in an effort to learn more about Stingray, and if it is scooping up domestic phone calls.

If you are a government employee, this is the time to cover your eyes. Washington Post writer Josh Hicks reports:

“The Department of Homeland Security has warned its employees that the government may penalize them for opening a Washington Post article containing a classified slide that shows how the National Security Agency eavesdrops on international communications.

An internal memo from DHS headquarters told workers on Friday that viewing the document from an “unclassified government workstation” could lead to administrative or legal action. “You may be violating your non-disclosure agreement in which you sign that you will protect classified national security information,” the communication said.”

Let’s see if I have this straight. The DHS, those wizards who are supposed to protect us from sneaky dangerous people, threatens their employees with possible criminal charges or other penalties for looking at pictures published in the newspaper or on a blog? Doesn’t everyone feel a lot safer now?

Some of the latest leaks center around a 41-slide PowerPoint presentation alleged to have come from the NSA. One slide in particular references FAA702. This refers to §702 of the FISA Amendments Act (50 USC § 1881a). I am not going to try to explain the slide here, but there are explanations at this link and this link.  At any rate, here is the slide that was leaked.

Image

Which brings us to a discussion of internet security and the security of all our internet activities, including personal, business and financial information. Some of us are required to use encryption as part of our day to day operations. For example, HIPAA requires all files containing patient data be encrypted with an encryption program that meets specific HIPAA guidelines. Non-compliance with HIPAA guidelines can have draconian consequences for any health care service caught in an audit, with both monetary and criminal penalties. Earlier this year, WellPoint was hit with a $1.3 million dollar fine. Cignet fared much worse with a $4.3 million fine. Most health care providers use proprietary software they purchase from vendors, which include some of the biggest names in software.

If there is a secret agreement between proprietary encryption software and the NSA, and a user is obligated to keep data secure, then the legal question becomes one of “knew or should have known.” If we now have reason to believe unknown people at various government agencies can rummage around our computers and digital devices at will, we have a problem. Let’s assume no one reading this is up to no good, but simply conducting day-to-day business as usual. However, file data are sensitive and if it gets into the wrong hands, there could be problems. Hypothetically, let’s say some government employee running a routine scan stumbles across a marriage counselor’s file and discovers his or her spouse is having a torrid affair…with the best friend, the mayor, the parish priest or even their own boss. Then goes home and confronts spouse. Spouse sues the counselor. What then?

We have all seen those ads on the big search engines. If you looked on eBay or Amazon for a widget yesterday, when you opened Google this morning, you see ads for widgets. The big search engines keep track of your browsing habits. That enables them to target you for ads. It also lets you know they are keeping records on you. Those records are subject to both subpoena and data mining by spy software such as PRISM. This has been a boon to the smaller but smarter search engine DuckDuckGo. They do not keep records, and as soon as you close the browser, the search is gone. If subpoenaed, DuckDuckGo has nothing to cough up.

If one suspects proprietary closed-source encryption software is compromised, what to do? There are several solutions. First of all, look at open-source freeware. There are several good freeware encryption programs. Lifehacker has a review of the five top open-source programs. The top-rated one is TrueCrypt. Edward Snowden is said to have used TrueCrypt on the files he took with him. The advantage of open-source is that it is open source. That means it is unlikely to have secret files in it because they would be soon discovered. Open source software is in a constant state of development by experts all over the world. Do spy agencies try to insert malware into it? It is safe to assume they probably try. However, there are many eyes watching, and if something suddenly appeared in the source code that is not supposed to be there, it would be discovered quickly. Security expert and software engineer Bruce Schneier, writing in The Guardian, has a list of five basic things one can do to keep files safe. Here are two of the five suggestions:

 3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn’t. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it’s pretty good.

4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It’s prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.

The full article by Bruce Schneier is here.

Last Tuesday, the ACLU filed a lawsuit in the US District Court in New York, alleging the National Security Agency’s (NSA) surveillance of vast numbers of Verizon customers is unconstitutional. PDF of the filing is at this link.

Lest they forget, here is a reminder:

Amendment IV

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

 

36 thoughts on “Encryption and the Spymasters: Is Privacy Dead?”

  2. I’ve come to realize that with all this Government interceding in our daily lives through Corporate cooperation for a profit all in violation of our Bill of Rights, umm…
    … I think Benito defined as something once. I could be wrong, yes?

  3. From “NSA Revelations Cast Doubt on the Entire Tech Industry” by DAVID KRAVETS AND ROBERT MCMILLAN.

    Six years ago, two Microsoft cryptography researchers discovered some weirdness in an obscure cryptography standard authored by the National Security Agency. There was a bug in a government-standard random number generator that could be used to encrypt data.

    The researchers, Dan Shumow and Niels Ferguson, found that the number generator appeared to have been built with a backdoor — it came with a secret numeric key that could allow a third party to decrypt code that it helped generate.

    According to Thursday’s reports by the ProPublica, the Guardian, and The New York Times, classified documents leaked by NSA whistleblower Edward Snowden appear to confirm what everyone suspected: that the backdoor was engineered by the NSA. Worse still, a top-secret NSA document published with the reports says that the NSA has worked with industry partners to “covertly influence” technology products.

    That sounds bad, but so far, there’s not much hard evidence about what exactly has been compromised. No company is named in the new allegations. The details of the reported modifications are murky. So while much of the internet’s security systems appear to be broken, it’s unclear where the problems lie.

    The result is that the trustworthiness of the systems we used to communicate on the internet is in doubt. “I think all companies have a little bit of taint after this,” says Christopher Soghoian, a technologist with the American Civil Liberties Union.

    The latest documents show that the NSA has vast crypto-cracking resources, a database of secretly held encryption keys used to decrypt private communications, and an ability to crack cryptography in certain VPN encryption chips. Its goal: to crack in a widespread way the internet’s security tools and protocols.

    David Dampier, the director of the Center for Computer Security Research at Mississippi State University, says it’s “wrong” for companies to add backdoors. But he added that the latest revelations of the government’s alleged decryption capabilities aren’t surprising.

    “I think that no encryption created by anyone is going to protect you from everyone. The stronger the encryption the harder they are going to work to decrypt it,” he said. “I don’t care what company is selling you encryption software. Whatever they are going to sell you, it can be decrypted. There’s nothing that is infallible.”

    The reports talk about the NSA’s attempts to exploit software bugs, break codes and accumulate encryption keys — this is all stuff that most security experts expected the surveillance agency to be doing. But here’s the most unsettling part: A leaked excerpt from the agency’s 2013 budget request talks about the NSA working with “US and foreign IT industries to covertly influence and/or overtly leverage their commercial products designs.” The document explicitly says: “These design changes make the systems in question exploitable.”

    Daniel Castro, a senior analyst with the Information Technology and Innovation Foundation, calls the latest leaks disturbing. “We went through this debate with the Clipper Chip, and it was clear where public opinion stood,” he says, referring to a backdoor technology the NSA wanted to install in all encryption two decades ago.

    “If these claims are true, and the NSA introduced backdoors into global security standards, this seems like a clear perversion of democracy,” Castro added. “This just further erodes the competitiveness of U.S. tech companies. In particular, I think this enlarges the scope of companies that will suffer backlash since cryptographic standards are often embedded in hardware.”

    Read the rest at WIRED

  4. p.s.
    I know there are laws limiting me to where I can video, but this is for the safety of the building! Or are gonna let the bad guys win on this one, too?

  5. On spying, I often use this analogy:

    If, in my business, I set up hidden cameras in the bathrooms because someone, at sometime, might do something illegal. I don’t know what activities I’ll be recording, but to be vigilant, I’ll record everyone in every stall and “trust me”, I’ll only look at the video if I deem it necessary…

    … You’re OK with that, YES?

  6. Revealed: how US and UK spy agencies defeat internet privacy and security
    • NSA and GCHQ unlock encryption used to protect emails, banking and medical records
    • $250m-a-year US program works covertly with tech companies to insert weaknesses into products
    • Security experts say programs ‘undermine the fabric of the internet’
    James Ball, Julian Borger and Glenn Greenwald
    Guardian Weekly, Thursday 5 September 2013
    http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

    The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.

    The agencies, the documents reveal, have adopted a battery of methods in their systematic and ongoing assault on what they see as one of the biggest threats to their ability to access huge swathes of internet traffic – “the use of ubiquitous encryption across the internet”.

    Those methods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with “brute force”, and – the most closely guarded secret of all – collaboration with technology companies and internet service providers themselves.

    Through these covert partnerships, the agencies have inserted secret vulnerabilities – known as backdoors or trapdoors – into commercial encryption software.

    The files, from both the NSA and GCHQ, were obtained by the Guardian, and the details are being published today in partnership with the New York Times and ProPublica. They reveal:
    (continued at link)

  7. End of Internet Privacy : Glenn Greenwald : Secret NSA Program : Crack Online Encryption

  8. The US government has betrayed the internet. We need to take it back

    The NSA has undermined a fundamental social contract. We engineers built the internet – and now we have to fix it

    Bruce Schneier
    The Guardian, Thursday 5 September 2013
    http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying

    Government and industry have betrayed the internet, and us.By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical internet stewards.

    This is not the internet the world needs, or the internet its creators envisioned. We need to take it back.

    And by we, I mean the engineering community.

    Yes, this is primarily a political problem, a policy matter that requires political intervention.

    But this is also an engineering problem, and there are several things engineers can – and should – do.

    One, we should expose.

    (continued at link)

  10. Mikepouraryan,
    That’s NSA/CIA/DEA…
    … FBI will work with local police to quash protestors

  12. Chuck,
    it used to be that we had to worry about what we said on Facebook. Now Facebook is the least of our worries.

  13. OS,

    If good code (“open source”) is outlawed, only hackers will have big brother free encryption algorithms.

    Once upon a time the military NSA was better behaved, and even trusted hippies to help them.

    They were also very conscious of constitutional legalities:

    “Cliff, I’d like to take over, but our charter prevents it. NSA can’t engage in domestic monitoring, even if we’re asked. That’s prison term stuff.” He took this seriously.

    (A Tale of Coup Cities – 4, quoting The Cuckoo’s Egg). They gave a hippie the national medal of honor for discovering that a foreign spy was having his way with them.

    Oh for the good old days.

  16. Steve Fleischer 1, September 7, 2013 at 2:13 pm

    I expect our foreign enemies to do us harm.

    I do not expect – and I deeply resent – the efforts by our government to undermine the Bill of Rights.

    The efforts of Pres. Obama (and Pres. Bush before him) to invade our privacy undermines the legitimacy of our government.
    ============================
    True.

    “It” goes back further than those two presidents, and its embryonic state goes back to a time when J. Edgar Hoover defined how “it” could be used.

    More recently, in terms of intensity, it goes back to a coup that not very many folks noticed.

    “If there is a coup and no one notices, did a coup really happen?”

  17. I expect our foreign enemies to do us harm.

    I do not expect – and I deeply resent – the efforts by our government to undermine the Bill of Rights.

    The efforts of Pres. Obama (and Pres. Bush before him) to invade our privacy undermines the legitimacy of our government.

  20. Great article Chuck. A lot of the encryption stuff is beyond us mere mortals and we would normally rely on the large vendors. I am glad that you have informed us that the NSA is paying companies to leave the back door unlocked. I would think that at the least, those companies would be liable for legal action by consumers. It is amazing that the NSA thinks it can spy on anyone at anytime, without legal recourse. I will be following the ACLU suit to see what happens there. If the NSA is reading this, then you have too much time on your hands!

Comments are closed.