The NSA is Making Us All Less Safe
"Computers are everywhere.
To donate by check, phone, or other method, see our More Ways to Give page.
"Computers are everywhere.
Cory's right, of course. And that's why the recent New York Times story on the NSA's systematic effort to weaken and sabotage commercially available encryption used by individuals and businesses around the world is so important--and not just to people who care about political organizing, journalists or whistleblowers. Thanks to additional reporting, we now know it matters deeply to companies including Brazil's Petrobras and Belgium's Belgacom, who are concerned about protecting their infrastructure, negotiating strategies and trade secrets. But really, it matters to all of us.
We all live in an increasingly networked world. And one of the preconditions of that world has to be basic computer security--freedom to use strong technologies that are fully trustworthy.
Every casual Internet user, whether they know it or not, uses encryption daily. It's the "s" in https and the little lock you see in your browser--signifying a secure connection--when you purchase something online, when you're at your bank's website or accessing your webmail, financial records, and medical records. Cryptography security is also essential in the computers in our cars, airplanes, houses and pockets.
By weakening encryption, the NSA allows others to more easily break it. By installing backdoors and other vulnerabilities in systems, the NSA exposes them to other malicious hackers--whether they are foreign governments or criminals. As security expert Bruce Schneier explained, "It's sheer folly to believe that only the NSA can exploit the vulnerabilities they create."
The New York Times presented internal NSA documents with some specifics. They are written in bureaucratese, but we have some basic translations:
Each of these alone would be terrible for security; collectively they are a nightmare. They are also a betrayal of the very public political process we went through in the 1990s to ensure that technology users had access to real security tools to keep them safe.
Ensuring your ability to have real security and privacy online was one of EFF's earliest goals and protecting your ability to use strong encryption was one of our first victories.
In the 1990s, the Clinton administration tried several things to ensure that our technologies were not very safe, including proposing the now-infamous "Clipper Chip," which sought to compel companies insert backdoors into commercial encryption technologies and enforcing export regulations that effectively prevented the development and distribution of strong encryption.
But in the 1990s, we had a long list of supporters for strong security online, including then-Senator (later Bush Attorney General) John Ashcroft, Senator (current Secretary of State) John Kerry, the National Association of Manufacturers, the U.S. Public Policy Committee of the Association for Computer Machinery, National Computer Security Association and the American Association For The Advancement Of Science.
At the time, the Internet Architecture Board and the Internet Engineering Steering Group, the bodies that oversee architecture and standards for the Internet, put it best, stating:
[a]s more and more companies connect to the Internet, and as more and more commerce takes place there, security is becoming more and more critical. Cryptography is the most powerful single tool that users can use to secure the Internet. Knowingly making that tool weaker threatens their ability to do so, and has no proven benefit.
(emphasis added). These risks have only increased substantially over the past 15-20 years, as virtually all records, both public and private are maintained electronically and stored in networked environments.
The Clipper Chip proposal was defeated in the late 1990s and the encryption regulations were rolled back shortly thereafter. And we thought the matter was settled: the government had no business sabotaging the security of digital devices or communications.
That's why the revelations last week were so shocking and, frankly, angering. Having lost its efforts to make us less safe in Congress, in the public debate, and in the courts, the NSA simply thumbed its nose at our democratic mechanisms and proceeded to sabotage our security anyway--in secret.
Making matters worse, the NSA put itself on the front lines of "cybersecurity" debate, ostensibly because it was concerned about computer security of ordinary people and businesses. That is supposed to be one of NSA's roles. Yet, one of the most disturbing anecdotes from the New York Times story on encryption was the NSA meeting confidentially with companies under the guise of helping with cybersecurity but then using information they gleaned to weaken systems or induce the companies to do so:
Even agency programs ostensibly intended to guard American communications are sometimes used to weaken protections. The N.S.A.'s Commercial Solutions Center, for instance, invites the makers of encryption technologies to present their products to the agency with the goal of improving American cybersecurity. But a top-secret N.S.A. document suggests that the agency's hacking division uses that same program to develop and "leverage sensitive, cooperative relationships with specific industry partners" to insert vulnerabilities into Internet security products.
This should give any company pause. It should give Congress pause when crafting dangerous new laws, like an "information sharing" bill just proposed by Sen. Feinstein, that give the NSA new powers. And it should give all of us pause as we consider whether the NSA has become an agency that believes itself to be above the law and beyond our democratic processes.
Thankfully, the recent disclosures have led to at least some change. The National Institute of Standards and Technology (NIST), the government agency in charge of one of the cryptographic standards the NSA has alleged to have secretly weakened, has reopened public comment on its standard and has even gone as far as to recommend people do not use it anymore.
And we're beginning to see the international computer security community come to grips with this disturbing news.
But we must do more.
But the public debate must start from a fundamental principle: The NSA has been making us less safe and it must stop. Now.
We're optimists who believe in the power of informed and engaged citizens to ignite and enact change to make the world a better place.
We're hundreds of thousands strong, but every single supporter counts.
Your contribution supports this new media model—free, independent, and dedicated to uncovering the truth. Stand with us in the fight for social justice, human rights, and equality. As a people-powered nonprofit news outlet, we cover the issues the corporate media never will. Join with us today!