The U.S. National Security Agency's efforts to defeat encrypted Internet communications, detailed in news stories this week, are an attack on the security of the Internet and on users' trust in the network, some security experts said.
The NSA and intelligence agencies in allied countries have found ways to circumvent much of the encryption used on the Internet, according to stories published by The New York Times, ProPublica and the Guardian. The NSA, the British GCHQ and other spy agencies have used a variety of means to defeat encryption, including supercomputers, court orders and behind-the-scenes agreements with technology companies, according to the news reports.
The reports, relying on documents provided by former NSA contractor Edward Snowden, show that many tech companies are collaborating with the spy agencies to "destroy privacy," said cryptographer and security specialist Bruce Schneier. "The fundamental fabric of the Internet has been destroyed."
The new revelations should raise major concerns from Internet users over who they can trust, Schneier added. "I assume that all big companies are now in cahoots with the NSA, cannot be trusted, are lying to us constantly," he said. "You cannot trust any company that makes any claims of the security of their products. Not one cloud provider, not one software provider, not one hardware manufacturer."
It doesn't appear that the NSA is defeating encryption by brute force but by "cheating" by attempting to build backdoors into systems and strong-arm companies into giving it information, Schneier said.
Digital rights group the Center for Democracy and Technology echoed some of Schneier's concerns, with CDT senior staff technologist Joseph Lorenzo Hall calling the NSA's encryption circumvention efforts "a fundamental attack on the way the Internet works."
The NSA has been working for years to build backdoor vulnerabilities into encryption standards and technology products, the stories said. A representative of the NSA didn't respond to a request for comment on the stories.
Hall criticized those efforts. "In an era in which businesses, as well as the average consumer, trust secure networks and technologies for sensitive transactions and private communications online, it's incredibly destructive for the NSA to add flaws to such critical infrastructure," he said in an email. "The NSA seems to be operating on the fantastically naïve assumption that any vulnerabilities it builds into core Internet technologies can only be exploited by itself and its global partners."
The New York Times story this week, citing a Guardian report from July, said Microsoft has worked with the NSA to provide the agency with pre-encryption access to Outlook, Skype and other products.
Microsoft has repeatedly denied helping the NSA break encryption on its products. The company complies with legal court orders for information on its customers and will provide agencies with unencrypted customer information residing on its servers if ordered by a court to do so, a spokeswoman said.
Sign up for CIO Asia eNewsletters.