- The Washington Times - Tuesday, October 8, 2013

In its relentless effort to expand its surveillance capabilities, the National Security Agency has eroded trust in the process that secures online financial transactions and forms the foundations of privacy and security on the Web, computer scientists and Internet security specialists say.

Recently leaked documents have revealed that the NSA has sought to defeat encryption, which scrambles confidential data to shield it from prying eyes. One critic compares the NSA effort to a misguided plot to sabotage vaccines.

“Suppose the U.S. government says terrorists are getting vaccinated, and in response to that, they decided they were going to put saltwater instead of vaccine in every vaccination needle in the world,” said Jon Callas, co-inventor of Pretty Good Privacy, the most widely used email encryption system. “That would be terrible. It would be inhuman. But if it’s true [about NSA efforts], it’s kind of like that.”

SEE ALSO: Wyden: NSA eavesdropping is hurting U.S. economy

Documents leaked by former NSA contractor Edward Snowden show that the agency used financial incentives, secret courts and outright theft to acquire the digital “keys” to widely used commercial encryption technologies. The agency, working with its British counterpart, Government Communications Headquarters, also built software “back doors” into encryption packages and, some suspect, inserted vulnerabilities into encryption standards.

News that the NSA is trying to defeat encryption is “very disconcerting,” said Tatu Ylonen, the Finnish computer scientist who invented Secure Shell, the encryption protocol used by almost all large commercial enterprises such as banks and credit card companies.

Suspicion: The National Security Agency used financial incentives, secret courts and theft to breach privacy, leaked documents show. (Associated Press)
Suspicion: The National Security Agency used financial incentives, secret courts and theft ... more >

“I don’t like the idea of someone breaking into my house. These days, most of my valuable stuff is on my computer, so I don’t like the idea of someone breaking into my computer. It doesn’t matter who is doing it or why,” Mr. Ylonen said.

Director of National Intelligence James R. Clapper has said the NSA “would not be doing its job” if it didn’t try to defeat encryption, noting that it is used routinely by spies, terrorists and other malefactors.

Current and former officials say the capabilities are used only against legitimate foreign intelligence targets, such as officials of a foreign power or members of a terrorist group.

The NIST connection

Encryption scrambles digital documents and email according to a mathematical formula, or algorithm. The data can be unscrambled and read only with a special digital key.

Online information is routed from computer to computer until it reaches its destination, exposing the data to interception and eavesdropping. Encryption is the basis for any kind of privacy or security on the Web.

For example, the small padlock in a browser address bar that tells computer users they are securely connected to an online bank or store is based on a form of encryption called Transport Layer Security or Secure Sockets Layer.

Online eavesdroppers might be able to see where encrypted traffic is going, but they cannot read it — which is how passwords, credit card numbers and other sensitive information are protected on the Web.

Alarmed by the growth of encryption technologies, the NSA in the 1990s tried to mandate the introduction of “back doors,” or secret keys for commercial encryption services. The agency failed, but the latest Snowden documents show it did not give up.

“We thought in the past that the standards [the U.S.] government promoted were designed to improve security,” said Mr. Callas, now chief technology officer for Silent Circle, a firm offering encryption services for phone calls, video chats and instant messaging. “Now I have a raised eyebrow [about that]. It’s a question.”

Story Continues →