In one of the most significant leaks to date regarding National Security Agency (NSA) spying, the New York Times, the Guardian, and ProPublica reported Thursday that the NSA has gone to extraordinary lengths to secretly undermine our secure communications infrastructure, collaborating with GCHQ (Britain's NSA equivalent) and a select few intelligence organizations worldwide.
These frightening revelations imply that the NSA has not only pursued an aggressive program of obtaining private encryption keys for commercial products—allowing the organization to decrypt vast amounts of Internet traffic that use these products—but that the agency has also attempted to put backdoors into cryptographic standards designed to secure users' communications. Additionally, the leaked documents make clear that companies have been complicit in allowing this unprecedented spying to take place, though the identities of cooperating companies remain unknown.
Many important details about this program, codenamed Bullrun, are still unclear. For example, what communications are targeted? What service providers or software developers are cooperating with the NSA? What percentage of private encryption keys of targeted commercial products are successfully obtained? Does this store of private encryption keys (presumably procured through theft or company cooperation) contain those of popular web-based communication providers like Facebook and Google?
What is clear is that these NSA programs are an egregious violation of our privacy. We can and should enjoy a future where it is still possible to speak privately with fellow citizens, to freely associate and engage in political activism, and to be left alone when we want to be. If the NSA is allowed to continue building backdoors into our communications infrastructure, as law enforecement agencies have lobbied for, then the communications of billions of people risk being perpetually insecure against a variety of adversaries, ranging from foreign governments to criminals to domestic spy agencies, which would have disastrous economic consequences.
Faced with so much bad news, it's easy to give in to privacy nihilism and despair. After all, if the NSA has found ways to decrypt a significant portion of encrypted online communications, why should we bother using encryption at all? But this massive disruption of communications infrastructure need not be tolerated. Here are some of the steps you can take to fight back:
- Sign the petition to stop NSA spying. Let Congress know that It's time for a full accounting of America's secret spying programs—and an end to unconstitutional surveillance. If you are not in the US, please take the time to sign our international petition.
- In addition to signing our petition, take the time to call your elected representative using the dedicated call line: 1-STOP-323-NSA (1-786-732-3672) to voice your opposition.
- Use secure communications tools (read some useful tips by security expert Bruce Schneier). Your communications are still significantly more protected if you are using encrypted communications tools such as messaging over OTR or browsing the web using HTTPS Everywhere than if you are sending your communications in the clear.
- Finally, the engineers responsible for building our infrastructure can fight back by building and deploying better and more usable cryptosystems.
The NSA is attacking our secure communications on many fronts and we must oppose them using every method we have at our disposal. Engineers, policy makers, and netizens all have key roles to play in standing up to the unchecked surveillance state. The more we learn about the extent of the NSA's abuses, the more important it is for us to take steps to take back our privacy. Don't let the NSA's attack on secure communications be the end game. Let it be a call to arms.
