— Notes from the Underground, Fyodor Dostoevsky (via autoeuthanize)
"Computers are everywhere. They are now something we put our whole bodies into—airplanes, cars—and something we put into our bodies—pacemakers, cochlear implants. They HAVE to be trustworthy."
–EFF Fellow Cory Doctorow
Cory’s right, of course. And that’s why the recent New York Times story on the NSA’s systematic effort to weaken and sabotage commercially available encryption used by individuals and businesses around the world is so important—and not just to people who care about political organizing, journalists or whistleblowers. Thanks to additional reporting, we now know it matters deeply to companies including Brazil’s Petrobras and Belgium’s Belgacom, who are concerned about protecting their infrastructure, negotiating strategies and trade secrets. But really, it matters to all of us.
We all live in an increasingly networked world. And one of the preconditions of that world has to be basic computer security—freedom to use strong technologies that are fully trustworthy.
Every casual Internet user, whether they know it or not, uses encryption daily. It’s the “s” in https and the little lock you see in your browser—signifying a secure connection—when you purchase something online, when you’re at your bank’s website or accessing your webmail, financial records, and medical records. Cryptography security is also essential in the computers in our cars, airplanes, houses and pockets.
What is the NSA Doing to Make Us Less Safe?
By weakening encryption, the NSA allows others to more easily break it. By installing backdoors and other vulnerabilities in systems, the NSA exposes them to other malicious hackers—whether they are foreign governments or criminals. As security expert Bruce Schneier explained, “It’s sheer folly to believe that only the NSA can exploit the vulnerabilities they create.”
The New York Times presented internal NSA documents with some specifics. They are written in bureaucratese, but we have some basic translations:
- “Insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices used by targets”— Sabotage our systems by inserting backdoors and otherwise weakening them if there’s a chance that a “target” might also use them.
- "actively engages US and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs" — Secretly infiltrate companies to conduct this sabotage, or work with companies to build in weaknesses to their systems, or coerce them into going along with it in secret.
- “Shape the worldwide commercial cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by NSA/CSS — Ensure that the global market only has compromised systems, so that people don’t have access to the safest technology.
- "These design changes make the systems in question exploitable through Sigint collection … with foreknowledge of the modification. To the consumer and other adversaries, however, the systems’ security remains intact." — Make sure no one knows that the systems have been compromised.
- “influence policies, standards and specifications for commercial public key technologies” — Make sure that the standards that everyone relies on have vulnerabilities that are hidden from users.
Each of these alone would be terrible for security; collectively they are a nightmare. They are also a betrayal of the very public political process we went through in the 1990s to ensure that technology users had access to real security tools to keep them safe.