- - Friday, January 17, 2014

Every child learns not to touch a neighbor’s mailbox. “That’s a federal crime,” he’s told, and for good reason. However, the transactions and love-hate letters that used to go through physical mailboxes now go through electronic ones. The U.S. government cannot protect their privacy. What the laws and customs that surround the U.S. mail once did is now done by encryption. Government’s own role is problematic, because many of its various agencies want to look into our mailboxes by defeating encryption.

We can understand how serious a matter this is by imagining what this country would have become if federal law, while prohibiting neighbors from rifling through each others’ mailboxes, had specifically allowed federal agencies to do so. America would have developed a system of clandestine communications, or it would have become East Germany writ large.

That is why the National Security Agency’s collection of Internet traffic — combined with what appears to have been the acquisition of “backdoor” access to common encryption systems — is such a big deal. The Presidential Panel on NSA surveillance dealt with this matter with words so few and so pregnant with meaning that they did not catch the public’s attention, to wit: “Encryption is an essential basis for trust on the Internet.” Accordingly, the panel recommended that the NSA cease efforts to undermine its integrity.

A bit of history is needed to unpack these words.

By the 1970s, it had become clear that computers had enabled the art of code-making to surpass that of code-breaking. When private cryptographers wanted to release the Data Encryption Standard, a mathematical formula that is still practically unbreakable, the NSA sought to force users to embed in it a feature called a “clipper chip” that would provide a “backdoor” (accessible by court order) for the government into the emerging cyberworld. Congress adamantly refused.

By the late 1990s, an old mathematical principle applied to computer cryptography radically multiplied its complexity and security. Known as “public key,” it uses one set of algorithms — publicly available — to encrypt, and another set to decode that is related, but private to the user. In 2001, RSA, the leading U.S. developer of advanced codes, decided to adopt one of the algorithms for “public key” developed by the NSA, called “Dual Elliptic Curve.” It developed the Deterministic Random Bit Generator (Dual EC DRBG) to generate “random numbers” for its industry-standard security products.

This turned into a good deal for RSA because, with the NSA’s blessing, these products sold widely within the U.S. government and throughout the civilian world. The top Internet companies bought them as well.

The problem is, as computer-security professionals soon discovered, this system has built-in weaknesses the effects of which resemble all too closely the “backdoor” that Congress explicitly refused to grant to the NSA in the 1980s and ‘90s. According to computer-security expert Bruce Schneier, the RSA-NSA approach to generating random numbers features “a bunch of constants — fixed numbers — [that] have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can predict the output of the random-number generator after collecting just 32 bytes of its output.”

Mr. Schneier does not know — nor does anyone else know — who has those numbers, if anyone. Since the NSA developed the original algorithm, though, it is not much of a stretch to assume that it has those numbers. Indeed, the presidential panel’s recommendation that the NSA henceforth respect the integrity of encryption hardly makes sense in any other context.

The substantive fact that the U.S. government has done its best to gain the possibility of access to anybody’s mailbox it chooses is bad enough. Just as bad is the manner in which it appears to have proceeded; namely, by a private, secret deal with some Americans to gain access to the mailboxes of other Americans, after Congress specifically refused to give them that access.

The executives at RSA tell reporters that they had no idea, no intention of opening customer communications to government scrutiny. Whether they are sincere or not is interesting only from the standpoint of their liability to class-action lawsuits.

It’s difficult to imagine, however, that the NSA acted with any intention other than to use what recently revealed agency documents call “commercial relationships” to make into standard procedure what folks have heretofore regarded as a federal crime.

Angelo M. Codevilla is professor emeritus of international relations at Boston University and served on the staff of the Senate Intelligence Committee. He is the author of “To Make Peace Among Ourselves And With All Nations” (forthcoming from the Hoover Institution Press).