NSA Code Cracking Puts Google, Yahoo Security Under Fire
Disclosures that the U.S. National Security Agency can crack codes protecting the online traffic of the world’s largest Internet companies will inflict more damage than earlier reports of complicity in government spying, according to technology and intelligence specialists.
The agency has fulfilled a decades-long quest to break the encryption of e-mail, online purchases, electronic medical records and other Web activities, the New York Times, the U.K.’s Guardian and ProPublica reported yesterday. The NSA also has been given access to -- or found ways to enter -- databases of major U.S. Internet companies operating the most popular e-mail and social-media platforms, the news organizations reported.
The reports, based on documents from former intelligence contractor Edward Snowden, emerged amid an expanding debate over whether NSA surveillance activities undermine civil liberties. The revelations raise fresh questions about the security of data held by companies including Google Inc. (GOOG), Facebook Inc. (FB) and Microsoft Corp. (MSFT) just as more commerce shifts online.
“This is a fundamental attack on how the Internet works,” Joseph Lorenzo Hall, senior staff technologist at the Washington-based policy group Center for Democracy & Technology, said in an interview. “Secure communications technologies are the backbone of e-commerce” including the transfer of medical records and financial exchanges.
“People in business will either not engage in those activities, or find other ways,” Hall said.
The reports in the Guardian, the Times and the non-profit ProPublica news website said that NSA spends more than $250 million a year on a program working with technology companies to “covertly influence” product designs. The reports didn’t name the companies cooperating with the NSA and didn’t describe the extent to which the agency was using its code-breaking capability on the Internet.
The classified documents are the latest that Snowden has exposed revealing previously secret NSA programs. The 30-year-old former employee of government contractor Booz Allen Hamilton Holding Corp. (BAH) faces espionage charges in the U.S. and is in Russia under temporary asylum.
President Barack Obama’s administration has been coping with increasing public backlash over U.S. spying activities since top-secret documents leaked by Snowden began emerging in June. Foreign governments, including Brazil and Germany, have objected to U.S. surveillance and spying operations.
Brazilian authorities canceled a trip to Washington this week to prepare for President Dilma Rousseff’s state visit in October to protest allegations the U.S. spied on communications between officials in Latin America’s largest economy.
Obama told reporters at a news conference today in St. Petersburg, Russia, that “what we do is similar to what countries around the world do with their intelligence services.” He said that he had met with Rousseff and Mexican President Enrique Pena Nieto during the G-20 summit to “discuss the allegations made in the press about NSA.”
The U.S. president also said that the nation should review the spy programs to determine if they should continue. “The nature of technology and the legitimate concerns around privacy and civil liberties means that it’s important for us, on the front end, to say, all right, are we actually going to get useful information here,” he said. “And if not, or how useful is it, if it’s not that important, should we be more constrained in how we use certain technical capabilities.”
U.S. companies that are “household names” gave the NSA access to all communications, said Cedric Leighton, a former Air Force intelligence officer and a former NSA training director. Companies gave easy access to NSA because their managers believed it was necessary and they trusted that the government agency wouldn’t do anything wrong, Leighton said.
“But this takes the cake,” he said. “This has done a lot of damage to our ability to collect intelligence.”
Even before the latest reports, U.S. technology companies offering network infrastructure services such as cloud computing and popular social-networking applications were facing the prospect of losing business overseas.
Industry groups sounded alarm at the revelations. “This is a tragic case of myopia on the part of the NSA, and the surveillance infrastructure throughout the government,” said Ed Black, president of the Computer & Communications Industry Association, a Washington trade group, in a statement today. “By secretly embedding weaknesses into encryption systems in order to create a ’back door’ for surveillance access, the NSA creates a road map for similar cyber-incursions by others with less noble intentions.”
Companies offering cloud services -- in which businesses pay a third party to provide databases, storage and computing power -- may lose as much as $35 billion by 2016 as foreign companies avoid U.S. solutions because of the fear the NSA may have access to the data, according to a study released last month by the Information Technology & Innovation Foundation.
“This is a hugely disappointing revelation,” Daniel Castro, author of the Washington-based group’s study, said in an e-mail. “This most recent news will certainly contribute to the perception that U.S. Internet companies cannot be trusted.”
Michael Birmingham, a spokesman for the Office of the Director of National Intelligence, which oversees U.S. intelligence agencies, declined to comment on the reports.
“Anything that yesterday’s disclosures add to the ongoing public debate is outweighed by the road map they give to our adversaries about the specific techniques we are using to try to intercept their communications in our attempts to keep America and our allies safe,” according to a statement posted to the national intelligence office’s website today.
More Legal Protection
Obama and officials from intelligence agencies have defended the NSA’s surveillance programs as essential to thwarting possible terrorist attacks. U.S. officials have told lawmakers that the programs are legal and subject to oversight by a federal court and members of Congress.
Sixty-six percent of U.S. Internet users polled believe current laws aren’t good enough to protect people’s privacy online, according to a survey released yesterday by the Pew Research Center. That compared with 24 percent who believe current laws provide reasonable protections, Pew said. The July 11-14 telephone survey of 792 Internet users has a margin of error of plus or minus 3.8 percentage points.
Amid increasing public unease over the surveillance programs, Obama said Aug. 9 he would ask Congress to change the section of the Patriot Act allowing collection of telephone records, to increase oversight and transparency.
The president also said he’ll propose a legal advocate to serve as an adversary when spy agencies make requests in the secret sessions of the Foreign Intelligence Surveillance Court, which vets requests for electronic eavesdropping. Last week, he met for the first time with a panel he requested to review U.S. surveillance initiatives.
Leslie Miller, spokeswoman for Google, said in an e-mail that the company doesn’t “provide any government, including the U.S. government,” access to its systems.
“As for recent reports that the U.S. government has found ways to circumvent our security systems, we have no evidence of any such thing ever occurring,” Miller said. “We provide user data to governments only in accordance with the law.”
Microsoft provides the U.S. government information when “legally obligated to comply with demands,” according to a July 15 blog post by Brad Smith, general counsel for the Redmond, Washington-based company. “To be clear, we do not provide any government with the ability to break the encryption, nor do we provide the government with the encryption keys.”
Smith’s comments apply to yesterday’s reports, said Dominic Carr, a spokesman for Microsoft.
“We are unaware of and do not participate in such an effort, and if it exists, it offers substantial potential for abuse,” Suzanne Philion, spokeswoman for Sunnyvale, California-based Yahoo! Inc. (YHOO), said in an e-mail today. “Yahoo zealously defends our users’ privacy and responds to government requests for data only after considering every applicable objection and in accordance with the law.”
Facebook’s spokeswoman Sarah Feinberg didn’t respond to requests for comment.
Google, Microsoft, Apple Inc. (AAPL) and 19 other technology companies sent a letter in July to Obama and congressional leaders urging that the companies be allowed to report statistics concerning requests for user data received from intelligence agencies.
To contact the reporter on this story: Allan Holmes in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Bernard Kohn at email@example.com